InduSoft Web Studio, InTouch Holes Fixed

Thursday, November 1, 2018 @ 05:11 PM gHale

AVEVA Software, LLC, (AVEVA) upgraded its software to mitigate stack-based buffer overflow and an empty password in configuration file vulnerabilities in its InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition), according to a report with NCCIC.

Successful exploitation of these vulnerabilities, discovered by researchers at Tenable, could allow an unauthenticated user to remotely execute code.

RELATED STORIES
Update to 2-year-old CompactLogix Issue
Vecna Updates Fix for VGo Robot
PEPPERL+FUCHS Updates CT50-Ex
GEOVAP Fixes Reliance 4 SCADA/HMI

AVEVA reports the remotely exploitable vulnerabilities affect the following products:
• InduSoft Web Studio versions prior to 8.1 SP2
• InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 SP2

In one vulnerability, a remote attacker could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. If InduSoft Web Studio remote communication security was not enabled, or a password was left blank, a remote user could send a carefully crafted packet to invoke an arbitrary process, with potential for code to be executed. The code would be executed under the privileges of the InduSoft Web Studio or InTouch Edge HMI runtime and could lead to a compromise of the InduSoft Web Studio or InTouch Edge HMI server machine.

CVE-2018-17916 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

The other vulnerability could allow an unauthenticated user to remotely execute code with the same privileges as that of the InduSoft Web Studio or InTouch Edge HMI (formerly InTouch Machine Edition) runtime.

CVE-2018-17914 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

The product sees action in the commercial facilities, critical manufacturing, energy, transportation systems, and water and wastewater systems sectors. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

AVEVA recommends that users upgrade to InduSoft Web Studio v8.1 SP2 and InTouch Edge HMI (formerly InTouch Machine Edition) 2017 SP2 as soon as possible. Software updates can be downloaded from the Global Customer Support “Software Download” area:
• InduSoft Web Studio prior to v8.1 SP2
• InTouch Edge HMI (formerly InTouch Machine Edition) prior to 2017 SP2 (login required)

AVEVA recommends users update existing projects to enable the security features of InduSoft Web Studio and InTouch Edge HMI:
• Enable the new encrypted channel for communication and disable the unencrypted channel
• Set a strong Master Project password
• Set a strong password for the built-in account. By default, the built-in account is named Guest
• Set strong passwords for all other non-built-in accounts

AVEVA published Security Bulletin LFSEC00000130 on their website.



Leave a Reply

You must be logged in to post a comment.