CVE-2019-6545

Vulnerability

CVE-2019-6545 is an unauthenticated remote command injection vulnerability in AVEVA InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update [3]. The vulnerability resides in the custom remote agent protocol, typically exposed on TCP ports 1234 or 51234 [2]. An attacker can send a specially crafted command 66, which causes the affected product to load a database connection configuration file from a remote SMB share [2]. This file can contain OS commands that are executed at the privilege level of the product process [2].

Exploitation

An attacker needs network access to the target machine's remote agent port (default 1234 or 51234) and does not require any authentication [2][3]. The attacker hosts an SMB share containing a crafted database connection configuration file. By sending a command 66 to the target, the product loads the file from the attacker's share, and the embedded OS commands are executed [1][2]. The provided exploit code uses the impacket library to set up an SMB server and sends the malicious packet [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary OS commands on the server machine at the privilege level of the running product process, typically SYSTEM or Administrator [2][3]. This results in complete compromise of confidentiality, integrity, and availability of the affected system.

Mitigation

AVEVA released fixes in InduSoft Web Studio Version 8.1 SP3 and InTouch Edge HMI Version 2017 Update [3]. Users should upgrade to these versions immediately [3]. The updates are available from AVEVA's download portals (e.g., http://download.indusoft.com/81.3.0/IWS81.3.0.zip) [3]. No workaround is documented for unpatched installations.