AVEVA Software, LLC (AVEVA) suggests users to upgrade to the latest release to mitigate a missing authentication for critical function and resource injection vulnerabilities in its InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition), according to a report with NCCIC.
Successful exploitation of these remotely exploitable vulnerabilities, which AVEVA self-reported, could allow a remote attacker to execute an arbitrary process using a specially crafted database connection configuration file.
The following versions of AVEVA products suffer from the issues:
• InduSoft Web Studio prior to Version 8.1 SP3
• InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update
In one vulnerability, code is executed under the program runtime privileges, which could lead to the compromise of the machine.
CVE-2019-6543 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In addition, an unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine.
CVE-2019-6545 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
The products see use mainly in the chemical, commercial facilities, critical manufacturing, energy, food and agriculture, transportation systems, and water and wastewater sectors. They also see action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
AVEVA recommends affected users upgrade to the latest version of affected products. The following security updates address the vulnerabilities outlined in this advisory. Software updates can be downloaded from the Global Customer Support “Software Download” area or from the links below.
The latest version of InduSoft Web Studio.
The latest version of InTouch Edge HMI can be found at (login required)
AVEVA published Security Bulletin LFSEC00000133 on their website.