CVE-2021-33008 : Security Advisory and Response
Know everything about CVE-2021-33008, affecting AVEVA System Platform versions 2017 through 2020 R2 P01. Learn the impact, mitigation steps, and how to prevent unauthorized access.
CVE-2021-33008 is a vulnerability found in AVEVA System Platform versions 2017 through 2020 R2 P01. This vulnerability allows unauthorized users to access critical functions without proper authentication, posing a high risk to confidentiality, integrity, and availability.
Understanding CVE-2021-33008
CVE-2021-33008, titled 'AVEVA System Platform Missing Authentication for Critical Function,' was reported by Sharon Brizinov of Claroty to AVEVA. The vulnerability affects versions 2017 through 2020 R2 P01 of the AVEVA System Platform.
What is CVE-2021-33008?
AVEVA System Platform versions 2017 through 2020 R2 P01 lack proper authentication for functionalities that require a provable user identity. This oversight can be exploited by attackers to gain unauthorized access to critical functions within the system.
The Impact of CVE-2021-33008
The CVSS v3.1 base score for CVE-2021-33008 is 8.8, indicating a high severity level. The vulnerability has a high impact on confidentiality, integrity, and availability. Attackers can exploit this flaw with low privileges required and no user interaction, leading to potential network-based attacks.
Technical Details of CVE-2021-33008
Vulnerability Description
The vulnerability arises from the lack of authentication mechanisms in AVEVA System Platform versions 2017 through 2020 R2 P01, allowing unauthorized users to access critical functions.
Affected Systems and Versions
Affected systems include instances of AVEVA System Platform running versions 2017 through 2020 R2 P01.
Exploitation Mechanism
Attackers can exploit this vulnerability over the network with low complexity, impacting the system's availability, confidentiality, and integrity.
Mitigation and Prevention
Immediate Steps to Take
AVEVA recommends organizations affected by CVE-2021-33008 to evaluate the vulnerabilities based on their setup and apply the necessary security updates. Disable the AutoBuild service on Runtime nodes and only enable it on the designated GR Node for configuration.
Long-Term Security Practices
It is crucial to keep the AVEVA System Platform updated to the latest recommended versions. Regularly monitor for security bulletins and apply patches promptly to mitigate known vulnerabilities.
Patching and Updates
Users are advised to upgrade to updated versions of the System Platform, such as 2020 R2 P01, 2020 R2, or 2020, and apply the AVEVA Communication Drivers Pack 2020 R2.1 for enhanced security.
For detailed steps and compatibility information, refer to AVEVA's security bulletin AVEVA-2021-002.