AVEVA recommends a system upgrade to mitigate an insufficiently protected credentials vulnerability in its Wonderware System Platform, according to a report with NCCIC.
This vulnerability, discovered by Vladimir Dashchenko from Kaspersky Lab, could allow unauthorized access to the credentials for the ArchestrA Network User Account.
A unifying supervisory platform, Wonderware System Platform 2017 Update 2 and prior suffer from the vulnerability.
In the vulnerability, Wonderware System Platform uses an ArchestrA network user account for authentication of system processes and inter-node communications. A user with low privileges could make use of an API to obtain the credentials for this account.
CVE-2019-6525 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
The product sees use mainly in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.
AVEVA recommends users using Wonderware System Platform 2017 Update 2 and prior should upgrade to System Platform 2017 Update 3 as soon as possible. Click here to download the update (login required).
AVEVA has published Security Bulletin LFSEC00000135.
AVEVA recommends users secure industrial control systems according to NIST SP 800-82 Rev. 2.