AVEVA InduSoft Web Studio and InTouch Edge HMI (ICSA-19-036-01) – Products Used in the Water and Wastewater and Energy Sectors

The NCCIC has published an advisory on missing authentication for critical function and resource injection vulnerabilities in AVEVA InduSoft Web Studio and InTouch Edge HMI. For InduSoft Web Studio, versions prior to 8.1 SP3 are affected. For InTouch Edge HMI, versions prior to the 2017 update are affected. Successful exploitation of these vulnerabilities could allow a remote attacker to execute an arbitrary process using a specially crafted database connection configuration file. AVEVA recommends affected users upgrade to the latest version of the affected products, which address the vulnerabilities. The NCCIC also advises on a series of mitigating measures for these vulnerabilities. Read the advisory at NCCIC/ICS-CERT.