CVE-2021-32971 Explained : Impact and Mitigation

A Null pointer dereference vulnerability was discovered in the SuiteLink server, affecting various AVEVA products.

Understanding CVE-2021-32971

This vulnerability, reported by Sharon Brizinov of Claroty, poses a high severity risk due to a null pointer dereference when processing a specific command.

What is CVE-2021-32971?

The CVE-2021-32971 is a null pointer dereference vulnerability in the SuiteLink server of AVEVA products.

The Impact of CVE-2021-32971

With a CVSS Base Score of 7.5, this vulnerability can result in high availability impact when exploited through a network, with no user interaction or privileges required.

Technical Details of CVE-2021-32971

This section digs into the specific technical aspects of the vulnerability.

Vulnerability Description

The vulnerability involves a null pointer dereference in the SuiteLink server while processing command 0x07.

Affected Systems and Versions

Various AVEVA products are affected, including System Platform 2020, InTouch 2020, Historian 2020, Communication Drivers Pack 2020, Batch Management 2020, and MES 2014.

Exploitation Mechanism

The vulnerability is triggered when processing command 0x07, leading to a null pointer dereference that could impact system availability.

Mitigation and Prevention

To safeguard systems from CVE-2021-32971, organizations are recommended to take the following actions.

Immediate Steps to Take

Affected users should apply the corresponding security update provided by AVEVA. Some updates may require activation-based licensing.

Long-Term Security Practices

Implementing robust security measures, regular risk assessments, and staying informed about software vulnerabilities can enhance long-term security.

Patching and Updates

Refer to AVEVA security bulletin AVEVA-2021-003 for comprehensive information on addressing CVE-2021-32971.