CVE-2018-10620

Name of the Vulnerable Software and Affected Versions AVEVA InduSoft Web Studio versions 8.1 through 8.1SP1 InTouch Machine Edition versions 2017 8.1 through 2017 8.1 SP1

Description A remote user could exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions, such as read and write, with potential for code to be executed. The vulnerability is caused by a buffer overflow in the TCP/IP Server component of HMI/SCADA systems due to inadequate input data processing, including tags, events, and alarm messages. This could allow a remote attacker to execute arbitrary code using a specially crafted packet.

Recommendations For AVEVA InduSoft Web Studio versions 8.1 through 8.1SP1, consider disabling tag, alarm, or event related actions until a patch is available. For InTouch Machine Edition versions 2017 8.1 through 2017 8.1 SP1, restrict access to the TCP/IP Server component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.