CVE-2019-6545 : What You Need to Know

CVE-2019-6545 was published on February 5, 2019, by ICS-CERT. It affects AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3 and InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update.

Understanding CVE-2019-6545

In versions prior to 8.1 SP3, AVEVA Software, LLC's InduSoft Web Studio and InTouch Edge HMI are vulnerable to a security flaw that could be exploited by an unauthorized remote user.

What is CVE-2019-6545?

CVE-2019-6545 is an improper control of resource identifiers ('resource injection') vulnerability in AVEVA Software, LLC InduSoft Web Studio and InTouch Edge HMI.

The Impact of CVE-2019-6545

An unauthorized remote user could exploit this vulnerability by using a specially crafted database connection configuration file to execute arbitrary processes on the server machine.

Technical Details of CVE-2019-6545

CVE-2019-6545 is characterized by the following technical details:

Vulnerability Description

The vulnerability allows an unauthorized remote user to execute arbitrary processes on the server machine.

Affected Systems and Versions

AVEVA Software, LLC InduSoft Web Studio prior to Version 8.1 SP3
InTouch Edge HMI (formerly InTouch Machine Edition) prior to Version 2017 Update

Exploitation Mechanism

The vulnerability can be exploited by utilizing a specifically created database connection configuration file.

Mitigation and Prevention

To address CVE-2019-6545, consider the following mitigation strategies:

Immediate Steps to Take

Apply the necessary security patches provided by the vendor
Monitor network traffic for any suspicious activity

Long-Term Security Practices

Implement strong access controls and authentication mechanisms
Regularly update and patch software and systems

Patching and Updates

Update AVEVA Software, LLC InduSoft Web Studio to Version 8.1 SP3 or later
Update InTouch Edge HMI to Version 2017 Update or later