Your one-stop web resource providing safety and security information to manufacturers

AVEVA suggests users upgrade to the latest software to mitigate an uncontrolled search path element vulnerability in its InduSoft Web Studio, InTouch Edge HMI, according to a report with NCCIC.

Successful exploitation of this vulnerability, discovered by ADLab of Venustech, could allow execution of unauthorized code or commands.

RELATED STORIES
LCDS Updates SCADA Software
Siemens Mitigates SCALANCE Hole
Update to WibuKey Digital Rights Management Holes
Rockwell Patches RSLinx Classic Issue

The following versions of AVEVA InduSoft Web Studio and InTouch Edge HMI are affected by a vulnerability in a third-party component, Gemalto Sentinel UltraPro encryption keys:
• InduSoft Web Studio versions prior to v8.1 SP3
• InTouch Edge HMI versions prior to 2017 Update 3

In the vulnerability, the uncontrolled search path element issue allows an attacker to load and execute a malicious file from the ux32w.dll in third-party component Sentinel UltraPro.
CVE-2019-6534 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

Cyber Security

The product sees action in the commercial facilities, critical manufacturing, energy, transportation systems, and water and wastewater systems sectors. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.

UK-based AVEVA recommends users upgrade to the latest versions located the following links:
InduSoft Web Studio v8.1 SP3

InTouch Edge HMI 2017 Update 3 (login required)

Users who are unable to upgrade to the latest version of InduSoft Web Studio or InTouch Edge HMI, can alternatively apply Security Update LFSec131 (login required).

For addition information see AVEVA Security Bulletin LFSEC00000131.

Pin It on Pinterest

Share This