Português (Brasil)
Entre em contato conosco! (11) 3293-9139

Atualizações de Segurança e Hotfixes

Abaixo você encontrará uma lista de hotfixes para o InduSoft Web Studio. Cada hotfix pertence a uma versão específica do InduSoft, por favor escolha o hotfix compatível com a sua versão.

Clique aqui para visualizar as notas de lançamento das versões mais recentes do InduSoft Web Studio.

Você também pode solicitar informações sobre nossos hotfixes por email: suporte@indusoft.com.br ou pelo telefone: (11) 3293-9139.

AVEVA Security Bulletin LFSEC00000131

Title

InduSoft Web Studio and InTouch Edge HMI - Insecure 3rd Party Component

Rating

Medium

Published By

AVEVA Software Security Response Center

Overview

AVEVA Software, LLC (“AVEVA”) has created a security update to address an outdated and insecure 3rd party component used in:

  • InduSoft Web Studio versions prior to 8.1 SP3
  • InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 Update 3

The vulnerability in the 3rd party component could result in code execution but requires privileged, local access to the user’s desktop or the ability to copy files into InduSoft Web Studio or InTouch Edge HMI program folder.

Recommendations

Customers are advised to upgrade to:

Customers who cannot upgrade to the latest version of InduSoft Web Studio or InTouch Edge HMI, can alternatively apply Security Update LFSec131 located at: 

http://www.indusoft.com/download/patches/security/LFSec131.zip
https://softwaresupportsp.schneider-electric.com/#/producthub/details?id=52410


Vulnerability Characterization and CVSSv3 Rating

The vulnerability exists in Gemalto Sentinel Ultra Pro v1.3.2 and older, a 3rd party component used by InduSoft Web Studio and InTouch Edge HMI. Please refer to Gemalto CVE-2019-6534.

AVEVA CVSSv3:  6.5  AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Acknowledgements

AVEVA would like to thank:

  • Yu Qiang for responsibly disclosing this vulnerability to ICS-CERT
  • Gemalto for the quick turnaround of a fix
  • ICS-Cert for coordination of advisories

Support

For information on how to reach AVEVA support for your product, please refer to these links:  AVEVA Software Global Customer Support and InduSoft Support.

If you discover errors or omissions in this Security Notification, please report the finding to Support.

AVEVA Security Central

For the latest security information and security updates, please visit Security Central and InduSoft Security Updates

Cyber Security Standards and Best Practices

For information regarding how to secure Industrial Control Systems please reference NIST SP800-82r2.

NVD Common Vulnerability Scoring System (CVSS v3)

The U.S. Department of Homeland Security has adopted the common Vulnerability Scoring System (CVSS v3) that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.  CVSS v3 produces a numerical score as well as a textual representation of that score reflecting the severity of a vulnerability.  Scores range from 0.0 (no impact) to a maximum of 10.0 (critical impact with minimal effort to exploit). For additional information please refer to the CVSSv3 specifications.

Disclaimer 

THE INFORMATION PROVIDED HEREIN IS PROVIDED “AS-IS” AND WITHOUT WARRANTY OF ANY KIND. AVEVA AND ITS AFFILIATES, PARENT AND SUBSIDIARIES  DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY AVEVA, ITS DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES WILL CREATE A WARRANTY AND CUSTOMER MAY NOT RELY ON ANY SUCH INFORMATION OR ADVICE.  

AVEVA DOES NOT WARRANT THAT THE SOFTWARE WILL MEET CUSTOMER’S REQUIREMENTS, THAT THE SOFTWARE WILL OPERATE IN COMBINATIONS OTHER THAN AS SPECIFIED IN AVEVA DOCUMENTATION OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE.

IN NO EVENT WILL AVEVA OR ITS SUPPLIERS, DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY CUSTOMER OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF AVEVA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. AVEVA LIABILITY FOR DAMAGES AND EXPENSES HEREUNDER OR RELATING HERETO (WHETHER IN AN ACTION IN CONTRACT, TORT OR OTHERWISE) WILL IN NO EVENT EXCEED THE AMOUNT OF ONE HUNDRED DOLLARS ($100 USD).




AVEVA Security Bulletin LFSEC00000133

Title

InduSoft Web Studio and InTouch Edge HMI – Remote Code Execution Vulnerabilities

Rating

Critical

Published By

AVEVA Software Security Response Center

Overview

AVEVA Software, LLC (“AVEVA”) has released a new version of InduSoft Web Studio and InTouch Edge HMI which includes a security update to address vulnerabilities in all versions prior to:

  • InduSoft Web Studio versions prior to 8.1 SP3
  • InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 Update 3

The vulnerabilities in the TCP/IP Server Task could allow an unauthenticated user to remotely execute an arbitrary process using a specially crafted database connection configuration file. If the TCP/IP Server Task is disabled, InduSoft Web Studio or InTouch Edge HMI is not vulnerable.

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

Recommendations

Customers are advised to upgrade to:

  • InduSoft Web Studio v8.1 SP3
  • InTouch Edge HMI 2017 Update 3

Vulnerability Details

An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the Server Machine. The code would be executed under the privileges of the InduSoft Web Studio or InTouch Edge HMI runtime and could lead to a compromise of the InduSoft Web Studio or InTouch Edge HMI server machine.

Security Update

The following Security Updates address the vulnerabilities outlined in this Security Bulletin. Software updates can be downloaded from the Global Customer Support “Software Download” area or from the links below:

Product and Component

Supported Operating System

Security Impact

Severity Rating

Software Security Update

InduSoft Web Studio prior to v8.1 SP3

Multiple, Embedded

Confidentiality, Integrity, Availability

Critical

http://download.indusoft.com/81.3.0/IWS81.3.0.zip

InTouch Edge HMI prior to 2017 Update 3

Multiple, Embedded

Confidentiality, Integrity, Availability

Critical

https://softwaresupportsp.schneider-electric.com/#/producthub/details?id=52354

Vulnerability Characterization and CVSSv3 Rating

CWE-306: Missing Authentication for Critical Function,               

CWE-99: Improper Control of Resource Identifiers ('Resource Injection')

·         InduSoft Web Studio and InTouch Edge HMI:

      9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Acknowledgements

AVEVA would like to thank:

·         Tenable Research for the discovery, responsible disclosure of this vulnerability, and testing of the patch

·         ICS-Cert for coordination of advisories

Support

For information on how to reach AVEVA support for your product, please refer to these links:  AVEVA Software Global Customer Support and InduSoft Support.

If you discover errors or omissions in this Security Notification, please report the finding to Support.

AVEVA Security Central

For the latest security information and security updates, please visit Security Central and InduSoft Security Updates

Cyber Security Standards and Best Practices

For information regarding how to secure Industrial Control Systems please reference NIST SP800-82r2.

NVD Common Vulnerability Scoring System (CVSS v3)

The U.S. Department of Homeland Security has adopted the common Vulnerability Scoring System (CVSS v3) that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities.  CVSS v3 produces a numerical score as well as a textual representation of that score reflecting the severity of a vulnerability.  Scores range from 0.0 (no impact) to a maximum of 10.0 (critical impact with minimal effort to exploit). For additional information please refer to the CVSSv3 specifications.

Disclaimer 

THE INFORMATION PROVIDED HEREIN IS PROVIDED “AS-IS” AND WITHOUT WARRANTY OF ANY KIND. AVEVA AND ITS AFFILIATES, PARENT AND SUBSIDIARIES  DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY AVEVA, ITS DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES WILL CREATE A WARRANTY AND CUSTOMER MAY NOT RELY ON ANY SUCH INFORMATION OR ADVICE.  

AVEVA DOES NOT WARRANT THAT THE SOFTWARE WILL MEET CUSTOMER’S REQUIREMENTS, THAT THE SOFTWARE WILL OPERATE IN COMBINATIONS OTHER THAN AS SPECIFIED IN AVEVA DOCUMENTATION OR THAT THE OPERATION OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE.

IN NO EVENT WILL AVEVA OR ITS SUPPLIERS, DEALERS, DISTRIBUTORS, AGENTS OR EMPLOYEES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA OR USE, INCURRED BY CUSTOMER OR ANY THIRD PARTY, WHETHER IN AN ACTION IN CONTRACT OR TORT, EVEN IF AVEVA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. AVEVA LIABILITY FOR DAMAGES AND EXPENSES HEREUNDER OR RELATING HERETO (WHETHER IN AN ACTION IN CONTRACT, TORT OR OTHERWISE) WILL IN NO EVENT EXCEED THE AMOUNT OF ONE HUNDRED DOLLARS ($100 USD).




Downloads

ISSymbolVM.cab Hotfix

Versão: 7.1 + SP1

Este hotfix resolve um problema com a numeração da versão do controle ISSymbol.

Faça o Download do Hotfix



Indusoft Web Studio v7.1 + SP1 Printer Hotfix

Versão: 7.1 + SP1

Existem dois problemas conhecidos quando imprimimos arquivos PDFs no InduSoft Web Studio v7.1 + SP1:
  1. O arquivo PDF apresenta uma marca d’agua embaixo de cada página após a impressão
  2. O PDF de impressão não gera um arquivo PDF
 

Faça o Download do Hotfix de Impressão Agora


 
Extrair o arquivo zip e rodar o apropriado arquivo .bat como administrador. Leia o “ReadMe.txt” para maiores informações.


Hotfix 70.1.02.32/71.0.00.17 - Critico

Versão: 7.0/7.1

WI2815: Directory Traversal Buffer overflow. Provided and/or discovered by: OSVDB 73413, ICS-ALERT-13-004-01 and ICSA-13-067-01.

Solução: Install hotfix 70.1.02.32/71.0.00.17

Lançado em 02/2013

Download Hotfix 70.1.02.32

Download Hotfix 71.0.00.17


Download e instale  v7.0 + SP1 + P1 (ou acima) - Moderado

Versão: 6.1/7.0

WI2146: Melhora do utilitário Remote Agent (CEServer.exe) para implementar a autenticação entre a aplicação de desenvolvimento e o sistema alvo para garantir o download seguro, rápido e atraso de projetos. Também consertamos os problemas relacionados ao buffer quando fazendo o download de arquivos grandes. Créditos: OSVDB 77178 and 77179

Solução:  Instale v7.0 + SP1 + P1 

Lançado em 11/2011

Download


Hotfix 70.1.02.12 - Crítico

Versão: 7.0

WI1944: ISSymbol Virtual Machine buffer overflow enviado e/ou discoberto por: OSVDB 72865.

Solução: Instale hotfix 70.1.02.12

Lançado em 11/2011

Download


Download e instale v7.0 + SP1 + P1 (ou acima) - Moderado

Versão: 7.0

WI1889: Novos botões causam que as telas demorem muito tempo para carregar nos Thin Clients

Solução: Instale  v7.0 + SP1 + P1

Download


Hotfix 61.6.03.19 - Crítico

Versão: 6.1 SP6 (Nota: Esse problema também ocorre com a versão7.0 sem o Service Pack 1)

WI1944: ISSymbol Virtual Machine buffer overflow enviado e/ou discoberto por: OSVDB 72865.

Solução: Instale hotfix 61.6.03.19

Lançado em 04/2011

Este web server está disponível nos produtos InduSoft apenas para fins de teste tal como indicado na documentação do InduSoft Web Studio. Aplicações reais em execução em campo, não devem ver nenhum problema por estarem usando o IIS ou Apache ao invés do  NTWebServer. No entanto, a InduSoft abordou a questão de segurança na versão 7.0 + SP1. Nota: Se estiver sendo usada a versão antiga do NTWebServer, ou rodando o projeto PCDemo, por favor copie/use o NTWebServer.exe localizado na pasta Bin onde o InduSoft Web Studio v7.0 + SP1 (ou acima) está instalado.

Download