CVE-2019-6543
published 2019-02-13CVE-2019-6543: AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.29%
96.7th percentile
AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is executed under the program runtime privileges, which could lead to the compromise of the machine.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aveva | indusoft_web_studio | — | — |
| aveva | indusoft_web_studio | — | — |
| aveva | indusoft_web_studio | — | — |
| aveva | indusoft_web_studio | — | — |
| aveva | intouch_machine_edition_2014 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x02\x31\x10\x31\x10\x38\x10\x31\x10\x31\x03
bytes↗
\x02\x42 ... \x03
- →Detect unauthenticated DBProcessCall command 66 (0x42) messages on the InduSoft Web Studio agent port; the protocol frame starts with 0x02 0x42 and ends with 0x03. ↗
- →Monitor for outbound SMB (port 445) connections originating from InduSoft Web Studio / InTouch Edge HMI processes, which may indicate the agent is fetching a remote malicious DB.xdc configuration file. ↗
- →Alert on SMB share name 'LOLWAT' appearing in network traffic or logs, as used in the published PoC exploit to serve the malicious DB.xdc file. ↗
- →Look for the connection initialisation byte sequence 0x02 0x31 0x10 0x31 0x10 0x38 0x10 0x31 0x10 0x31 0x03 on the InduSoft agent port as a precursor to exploitation. ↗
- ·CVSS v3 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting full network-exploitability with no privileges or user interaction required. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pr9x-32vv-5c37: AVEVA Software, LLC InduSoft Web Studio prior to Version 8
ghsa_unreviewed·2022-05-13
CVE-2019-6543 [CRITICAL] CWE-306 GHSA-pr9x-32vv-5c37: AVEVA Software, LLC InduSoft Web Studio prior to Version 8
AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. Code is executed under the program runtime privileges, which could lead to the compromise of the machine.
CISA ICS
AVEVA InduSoft Web Studio and InTouch Edge HMI
cisa_ics·2019-02-05·CVSS 9.8
[CRITICAL] AVEVA InduSoft Web Studio and InTouch Edge HMI
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
AVEVA InduSoft Web Studio and InTouch Edge HMI
Last RevisedFebruary 05, 2019
Alert CodeICSA-19-036-01
## 1. EXECUTIVE SUMMARY
-
CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: AVEVA Software, LLC (AVEVA)
- Equipment: InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition)
- Vulnerabilities: Missing Authentication for Critical Function, Resource Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow a remote attacker to execute an arbitrary process using a specially crafted database
No detection rules found.
Tenable
Remote Code Execution in InduSoft Web Studio
blogs_tenable·2019-02-06
Remote Code Execution in InduSoft Web Studio
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Remote Code Execution in InduSoft Web Studio
blogs_tenable·2019-02-06·CVSS 9.8
CVE-2019-6545 [CRITICAL] Remote Code Execution in InduSoft Web Studio
Blog / Research
Subscribe
# Remote Code Execution in InduSoft Web Studio
Tenable Research
February 6, 2019
2 Min Read
Enterprises running InduSoft Web Studio should update their software and ensure these critical systems are not exposed to the internet.
Tenable Research has discovered an unauthenticated remote code execution (RCE) vulnerability in InduSoft Web Studio 8.1.2.0. ICS-CERT has assigned CVE-2019-6545 and CVE-2019-6543 for this vulnerability.
### Background
InduSoft Web Studio is an automation tool for human-machine interface (HMI) and supervisory control and data acquisition (SCADA) systems. According to its website, Web Studio is used in manufacturing, oil and gas, municipal water and correctional facilities and even by a drag racer.
By exploiting this vulnerability, a
2019-02-13
Published