CVE-2022-1467
📋 TL;DR
This vulnerability allows attackers to escape from AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere applications to execute OS commands via manipulation of the Windows language bar. It affects industrial control systems running these applications on Windows OS with the language bar enabled. Successful exploitation could lead to full system compromise.
💻 Affected Systems
- AVEVA InTouch Access Anywhere
- AVEVA Plant SCADA Access Anywhere
📦 What is this software?
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing execution of arbitrary OS commands, lateral movement within the network, and potential disruption of industrial processes.
Likely Case
Unauthorized access to the underlying Windows OS, installation of malware, data exfiltration, or disruption of SCADA operations.
If Mitigated
Limited impact if language bar is disabled or applications are properly isolated, though some risk remains from other attack vectors.
🎯 Exploit Status
Exploitation requires user interaction with the language bar within the application context.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://www.aveva.com/en/support-and-success/cyber-security-updates/
Restart Required: Yes
Instructions:
1. Review AVEVA security advisory. 2. Apply vendor-provided patches. 3. Restart affected systems. 4. Verify patch installation.
🔧 Temporary Workarounds
Disable Windows Language Bar
windowsPrevents exploitation by removing the vulnerable OS component from the application context.
Control Panel > Region and Language > Keyboards and Languages > Change keyboards > Language Bar > Hidden
Application Isolation
windowsRun applications in isolated environments or with reduced privileges.
🧯 If You Can't Patch
- Implement network segmentation to isolate affected systems from critical networks.
- Apply strict access controls and monitor for unusual language bar interactions.
🔍 How to Verify
Check if Vulnerable:
Check if Windows language bar is enabled and accessible within AVEVA applications on unpatched systems.Check Version:
Check application version through AVEVA interface or system documentation.Verify Fix Applied:
Verify patch installation via vendor version checks and confirm language bar no longer allows command execution.📡 Detection & Monitoring
Log Indicators:
- Unexpected command prompt launches from application context
- Language bar interaction logs in Windows event logs
Network Indicators:
- Unusual outbound connections from SCADA systems
- Anomalous process execution patterns
SIEM Query:
Process creation events where parent process is AVEVA application and child process is cmd.exe or powershell.exe