07 November 2018

Critical vulnerabilities in AVEVA industrial software

Two critical vulnerabilities have been identified in industrial automation solutions AVEVA InduSoft Web Studio (versions prior to 8.1 SP2) and InTouch Edge HMI (versions prior to 2017 SP2). Successful exploitation of these vulnerabilities could allow an unauthenticated user to remotely execute arbitrary code on a target system.

The stack-based buffer overflow vulnerability (CVE-2018-17916) could be exploited by an attacker by sending a specially crafted packet during tag, alarm, or event related actions such as read and write to invoke an arbitrary process, with potential for code to be executed. The code would be executed under the privileges of the InduSoft Web Studio or InTouch Edge HMI runtime and could lead to a compromise of the server machine. Exploitation of the vulnerability is possible if InduSoft Web Studio remote communication security was not enabled, or a password was left blank.

The second vulnerability, CVE-2018-17914, also has to do with an empty password being specified in the configuration file and could allow arbitrary code to be remotely executed with the same privileges as those of InduSoft Web Studio or InTouch Edge HMI.

Both vulnerabilities were assigned CVSS v.3 base score of 9.8.

AVEVA recommends that users upgrade to new product versions, InduSoft Web Studio v8.1 SP2 and InTouch Edge HMI 2017 SP2, as soon as possible. These versions are not affected by the above vulnerabilities. In addition, the vendor emphasizes the importance of using the relevant security features of InduSoft Web Studio and InTouch Edge HMI: ·        enabling the encrypted channel for communication·        setting a strong Master Project password;·        setting a strong password for the built-in account (by default, the built-in account is named Guest);·        setting strong passwords for all other non-built-in accounts.

Sources: AVEVA, ICS-CERT