CVE-2024-6619 Ocean Data Systems CVE debrief

Who should care

Organizations running Ocean Data Systems Dream Report 2023 or AVEVA Reports for Operations 2023 in industrial control system environments. System administrators responsible for OT/ICS reporting infrastructure. Security teams monitoring for local privilege escalation vectors in manufacturing, energy, and critical infrastructure sectors where Dream Report is commonly deployed.

Technical summary

The vulnerability exists due to incorrect permission configurations in Dream Report 2023, enabling local attackers without privileges to escalate to higher privilege levels. The attack requires local access (AV:L) with low attack complexity (AC:L) and low privileges (PR:L), but no user interaction (UI:N). Successful exploitation grants high impact across confidentiality, integrity, and availability dimensions. The vulnerability affects two product variants: Ocean Data Systems Dream Report 2023 (versions <=23.0.17795.1010) and AVEVA Reports for Operations 2023 (version 23.0.17795.1010). Vendor fixes are available for both product lines.

Defensive priority

HIGH

Recommended defensive actions

• Update Ocean Data Systems Dream Report 2023 to version 23.3.18952.0523 (2023 R2) or later
• Update AVEVA Reports for Operations 2023 to 2023 R2 or later
• Review and apply security bulletin AVEVA-2024-006 for AVEVA deployments
• Implement principle of least privilege for local user accounts
• Monitor for anomalous privilege escalation attempts on affected systems

Evidence notes

Vulnerability details sourced from CISA CSAF advisory ICSA-24-226-08. Affected products confirmed through CSAF product tree: Ocean Data Systems Dream Report 2023 (<=23.0.17795.1010) and AVEVA Reports for Operations 2023 (23.0.17795.1010). Remediation guidance includes specific vendor fix versions and security bulletin references.

Official resources