InduSoft Web Studio and InTouch Edge HMI – Remote Code Execution Vulnerabilities
AVEVA Software Security Response Center
AVEVA Software, LLC (“AVEVA”) has released a new version of InduSoft Web Studio and InTouch Edge HMI which includes a security update to address vulnerabilities in all versions prior to:
- InduSoft Web Studio versions prior to 8.1 SP3
- InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 Update 3
The vulnerabilities in the TCP/IP Server Task could allow an unauthenticated user to remotely execute an arbitrary process using a specially crafted database connection configuration file. If the TCP/IP Server Task is disabled, InduSoft Web Studio or InTouch Edge HMI is not vulnerable.
AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Customers are advised to upgrade to:
- InduSoft Web Studio v8.1 SP3
- InTouch Edge HMI 2017 Update 3
An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the Server Machine. The code would be executed under the privileges of the InduSoft Web Studio or InTouch Edge HMI runtime and could lead to a compromise of the InduSoft Web Studio or InTouch Edge HMI server machine.
The following Security Updates address the vulnerabilities outlined in this Security Bulletin. Software updates can be downloaded from the Global Customer Support “Software Download” area or from the links below:
Vulnerability Characterization and CVSSv3 Rating
CWE-306: Missing Authentication for Critical Function,
CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
· InduSoft Web Studio and InTouch Edge HMI:
9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AVEVA would like to thank:
· Tenable Research for the discovery, responsible disclosure of this vulnerability, and testing of the patch
· ICS-Cert for coordination of advisories
For information on how to reach AVEVA support for your product, please refer to these links: AVEVA Software Global Customer Support and InduSoft Support.
If you discover errors or omissions in this Security Notification, please report the finding to Support.
AVEVA Security Central
For the latest security information and security updates, please visit Security Central and InduSoft Security Updates
Cyber Security Standards and Best Practices
For information regarding how to secure Industrial Control Systems please reference NIST SP800-82r2.
NVD Common Vulnerability Scoring System (CVSS v3)
The U.S. Department of Homeland Security has adopted the common Vulnerability Scoring System (CVSS v3) that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. CVSS v3 produces a numerical score as well as a textual representation of that score reflecting the severity of a vulnerability. Scores range from 0.0 (no impact) to a maximum of 10.0 (critical impact with minimal effort to exploit). For additional information please refer to the CVSSv3 specifications.
THE INFORMATION PROVIDED HEREIN IS PROVIDED “AS-IS” AND WITHOUT WARRANTY OF ANY KIND. AVEVA AND ITS AFFILIATES, PARENT AND SUBSIDIARIES DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY AVEVA, ITS DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES WILL CREATE A WARRANTY AND CUSTOMER MAY NOT RELY ON ANY SUCH INFORMATION OR ADVICE.
AVEVA DOES NOT WARRANT THAT THE SOFTWARE WILL MEET CUSTOMER’S REQUIREMENTS, THAT THE SOFTWARE WILL OPERATE IN COMBINATIONS OTHER THAN AS SPECIFIED IN AVEVA DOCUMENTATION OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE.
IN NO EVENT WILL AVEVA OR ITS SUPPLIERS, DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY CUSTOMER OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF AVEVA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. AVEVA LIABILITY FOR DAMAGES AND EXPENSES HEREUNDER OR RELATING HERETO (WHETHER IN AN ACTION IN CONTRACT, TORT OR OTHERWISE) WILL IN NO EVENT EXCEED THE AMOUNT OF ONE HUNDRED DOLLARS ($100 USD).