Your one-stop web resource providing safety and security information to manufacturers

AVEVA Software, LLC (AVEVA) suggests users to upgrade to the latest release to mitigate a missing authentication for critical function and resource injection vulnerabilities in its InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition), according to a report with NCCIC.

Successful exploitation of these remotely exploitable vulnerabilities, which AVEVA self-reported, could allow a remote attacker to execute an arbitrary process using a specially crafted database connection configuration file.

RELATED STORIES
IDenticard Updating PremiSys Holes
Schneider Fixes EVLink Parking Holes
Yokogawa has Fix for License Manager Service
AVEVA Fixes Wonderware System Platform Hole

The following versions of AVEVA products suffer from the issues:
• InduSoft Web Studio prior to Version 8.1 SP3
• InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update

In one vulnerability, code is executed under the program runtime privileges, which could lead to the compromise of the machine.

Cyber Security

CVE-2019-6543 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, an unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine.

CVE-2019-6545 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

The products see use mainly in the chemical, commercial facilities, critical manufacturing, energy, food and agriculture, transportation systems, and water and wastewater sectors. They also see action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

AVEVA recommends affected users upgrade to the latest version of affected products. The following security updates address the vulnerabilities outlined in this advisory. Software updates can be downloaded from the Global Customer Support “Software Download” area or from the links below.

The latest version of InduSoft Web Studio.

The latest version of InTouch Edge HMI can be found at (login required)

Click here for information on how to reach AVEVA support for a specific product for AVEVA Software Global Customer Support and InduSoft Support.

For the latest security information and security updates, please visit AVEVA’s Security Central (login required) and InduSoft Security Updates.

AVEVA published Security Bulletin LFSEC00000133 on their website.

Pin It on Pinterest

Share This