CVE-2019-6543

Vulnerability

The vulnerability resides in AVEVA InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to the 2017 Update [3]. It is a missing authentication for critical function (CWE-306) and resource injection (CWE-99) flaw [2][3]. The InduSoft Web Studio custom remote agent protocol, typically listening on ports 1234 or 51234, does not require authentication, allowing an attacker to send a specially crafted command 66 that causes the application to load a database connection configuration file from a network share using SMB [2]. This DB file can contain arbitrary OS commands [2].

Exploitation

An attacker with network access to an affected system can send a crafted packet to the remote agent (ports 1234 or 51234) without authentication [2][1]. The attacker must also set up an SMB server to host a malicious database connection file [1][2]. The exploit leverages the lack of authentication and resource injection to load the attacker-controlled file, resulting in execution of embedded OS commands [2]. The attack is classified as low skill level to exploit [3].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges under which the InduSoft Web Studio or InTouch Edge HMI process runs [2][1]. This could lead to full compromise of the affected machine, including data disclosure, modification, or denial of service [3].

Mitigation

AVEVA has released updates to address the vulnerability: InduSoft Web Studio Version 8.1 SP3 and InTouch Edge HMI 2017 Update [3]. Users should upgrade to these versions. Software updates can be downloaded from AVEVA's support portal [3]. No workarounds are provided; upgrading is the recommended mitigation [3].