CVE-2021-32977
📋 TL;DR
AVEVA System Platform versions 2017 through 2020 R2 P01 fail to properly verify cryptographic signatures for data, allowing attackers to bypass authentication and execute arbitrary code. This affects industrial control systems using these AVEVA products. The vulnerability enables remote code execution on affected systems.
💻 Affected Systems
- AVEVA System Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, manipulate industrial processes, steal sensitive data, and potentially cause physical damage to industrial equipment.
Likely Case
Unauthorized access to industrial control systems, data manipulation, process disruption, and potential ransomware deployment in operational technology environments.
If Mitigated
Limited impact with proper network segmentation, application allowlisting, and restricted user privileges preventing code execution and lateral movement.
🎯 Exploit Status
No public proof-of-concept available, but the vulnerability is straightforward to exploit given the lack of cryptographic verification.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020 R2 P02 and later
Vendor Advisory: https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf
Restart Required: Yes
Instructions:
1. Download and install AVEVA System Platform 2020 R2 P02 or later from AVEVA support portal. 2. Apply the update to all affected systems. 3. Restart the AVEVA System Platform services. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Network Segmentation
allIsolate AVEVA System Platform systems from untrusted networks using firewalls and VLANs.
Application Allowlisting
windowsImplement application control to prevent execution of unauthorized binaries on affected systems.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks
- Deploy intrusion detection systems to monitor for exploitation attempts and anomalous behavior
🔍 How to Verify
Check if Vulnerable:
Check AVEVA System Platform version in the application interface or Windows Programs and Features. If version is between 2017 and 2020 R2 P01 inclusive, the system is vulnerable.Check Version:
Check via AVEVA System Platform interface or Windows Control Panel > Programs and FeaturesVerify Fix Applied:
Verify the installed version is 2020 R2 P02 or later. Check that cryptographic signature verification is functioning for data transfers.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication bypass events
- Unexpected process execution from AVEVA services
- Failed cryptographic verification attempts
Network Indicators:
- Unusual network traffic to/from AVEVA System Platform ports
- Suspicious data transfers bypassing normal authentication channels
SIEM Query:
source="AVEVA System Platform" AND (event_type="authentication_bypass" OR process_execution="unexpected")🔗 References
- https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf
- https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05
- https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2021-002.pdf
- https://www.cisa.gov/uscert/ics/advisories/icsa-21-180-05
