InduSoft has been made aware of, and has already corrected a vulnerability in the security of InduSoft Web Studio. This correction is available with Patch 1 of InduSoft Web Studio v 7.0 + SP1, and downloading the patch will ensure that the InduSoft Web Studio v 7.0 software is not exposed to this backdoor security vulnerability.
The vulnerability that was presented to InduSoft involves the Remote Agent (CEServer.exe) module, which allows the InduSoft Development Environment to deploy updates on remote machines. Even though the Remote Agent is usually not exposed to the internet directly without any firewall or VPN protection, InduSoft decided to pro-actively address the problem and improve the security on this module to make sure that customers would not be threatened. There was also a vulnerability when sending the command to remove files with long names on this same module. Under this scenario, there was a buffer overrun on the CEServer which could expose InduSoft users to malicious attackers. Both issues have been properly addressed in the version 7.0 + Service Pack 1 + Patch 1, and no longer present a risk if the patch is downloaded and installed.
For users who run an older version of InduSoft Web Studio, the suggested best practice for maintaining security is to avoid exposure from the Remote Agent directly on the internet without a secure encrypted channel. Regardless of whether or not the new update is deployed, InduSoft suggests protecting your network environment with VPN secure channels and firewalls. This is always a good practice, and should be followed whenever possible. Users can also control the Remote Agent execution and availability by using the InduSoft Web Studio built-in functions, such as WinExec, AppPostMessage and AppIsRunning.
If you have any questions or concerns about this, please do not hesitate to contact us. We are available by phone in the United States at 877-463-8763, in Germany, at +49 (0) 6227-732510, or Bazil, at +55-11-3293-9139. We will also answer any email at firstname.lastname@example.org.