CVE-2023-33873: 
NixOS vulnerability analysis and mitigation

A privilege escalation vulnerability identified as CVE-2023-33873 was discovered in AVEVA Operations Control Logger (formerly known as ArchestrA Logger). The vulnerability was disclosed on November 14, 2023, affecting multiple AVEVA products including AVEVA SystemPlatform, AVEVA Historian, AVEVA Application Server, and several other AVEVA software solutions through version 2020 R2 SP1 P01 and prior versions (CISA Advisory, AVEVA Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the following vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires local access with low attack complexity and low privileges, requires no user interaction, and has an unchanged scope. The impact affects confidentiality, integrity, and availability, all rated as high (CISA Advisory).

If successfully exploited, this vulnerability allows a local OS-authenticated user with standard privileges to escalate to System privilege on machines where the affected products are installed. This can result in complete compromise of the target machine (NVD).

AVEVA has released security updates to address the vulnerability. Users of affected products are recommended to apply security updates as soon as possible. Additionally, CISA recommends users take defensive measures such as minimizing network exposure, locating control system networks behind firewalls, isolating them from business networks, and exercising principles of least privilege (CISA Advisory).