CVE-2018-10628 in InTouch
Summary
by MITRE
AVEVA InTouch 2014 R2 SP1 and prior, InTouch 2017, InTouch 2017 Update 1, and InTouch 2017 Update 2 allow an unauthenticated user to send a specially crafted packet that could overflow the buffer on a locale not using a dot floating point separator. Exploitation could allow remote code execution under the privileges of the InTouch View process.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/09/2020
The vulnerability identified as CVE-2018-10628 affects AVEVA InTouch versions 2014 R2 SP1 and earlier, as well as InTouch 2017, InTouch 2017 Update 1, and InTouch 2017 Update 2. This represents a critical buffer overflow flaw that exists within the application's handling of locale-specific data processing, specifically when dealing with floating point number representations. The vulnerability stems from inadequate input validation and memory management practices within the InTouch View process execution environment.
The technical flaw manifests when an unauthenticated remote attacker sends a specially crafted packet to the vulnerable system. The buffer overflow occurs specifically on systems configured with locale settings that do not use a dot as the floating point separator, such as those using comma-separated values. This locale-dependent behavior creates a condition where the application fails to properly validate the size of incoming data before copying it into fixed-size buffers, leading to memory corruption that can be exploited to execute arbitrary code. The vulnerability is classified under CWE-121 as a stack-based buffer overflow, which is a well-known weakness in software development practices that has been documented in numerous security assessments.
The operational impact of this vulnerability is severe as it allows remote code execution with the privileges of the InTouch View process, which typically runs with elevated system permissions. This means that an attacker could potentially gain complete control over the industrial control system environment where InTouch is deployed. The implications are particularly concerning in industrial settings where InTouch is commonly used for human machine interface (HMI) applications, as this could lead to disruption of critical infrastructure operations, data manipulation, or unauthorized access to industrial processes. The vulnerability affects systems that process user input through network protocols without proper bounds checking, making it applicable to any network-accessible InTouch installation using affected versions.
Organizations should immediately implement mitigations including applying the vendor-provided security patches and updates, implementing network segmentation to limit access to InTouch systems, and deploying intrusion detection systems to monitor for exploitation attempts. The vulnerability aligns with ATT&CK technique T1203 (Exploitation for Client Execution) and T1059 (Command and Scripting Interpreter) as it enables remote code execution through network-based attacks. Additional protective measures should include disabling unnecessary network services, implementing strict access controls, and conducting regular security assessments of industrial control systems. The flaw demonstrates the importance of proper input validation and secure coding practices, particularly when dealing with internationalization and localization aspects of software development, as outlined in OWASP Top 10 security considerations for web applications and industrial control systems.