CVE-2024-6618 Ocean Data Systems CVE debrief

Who should care

Organizations running Ocean Data Systems Dream Report 2023 or AVEVA Reports for Operations 2023 in industrial environments, particularly manufacturing, energy, and critical infrastructure sectors where Dream Report is commonly deployed for operational reporting and data visualization.

Technical summary

The vulnerability exists in Dream Report 2023's handling of file paths, where insufficient validation allows traversal outside intended directories. An attacker with local access can leverage this to inject and execute a malicious dynamic-link library, achieving remote code execution with the privileges of the Dream Report process. The attack requires low privileges and no user interaction, making it exploitable by any local user account. The CVSS 3.1 score of 7.8 reflects high impacts across confidentiality, integrity, and availability despite the local attack vector.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Ocean Data Systems Dream Report 2023 to version 23.3.18952.0523 (2023 R2) or later
• For AVEVA Reports for Operations 2023 deployments, upgrade to 2023 R2 or later and apply security bulletin AVEVA-2024-006
• Review CISA ICS recommended practices for defense-in-depth strategies
• Implement principle of least privilege for local user accounts accessing Dream Report systems
• Monitor for unauthorized DLL loading attempts in Dream Report application directories

Evidence notes

CISA CSAF advisory ICSA-24-226-08 documents the path traversal vulnerability leading to DLL injection-based RCE. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H confirms local attack vector with high impact on confidentiality, integrity, and availability.

Official resources