Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.4457
Advisory (icsa-22-249-02) AVEVA Edge 2020 R2 SP1 and all prior versions
8 September 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: AVEVA Edge
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2022-36970 CVE-2022-36969 CVE-2022-28688
CVE-2022-28687 CVE-2022-28686 CVE-2022-28685
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-249-02
Comment: CVSS (Max): 7.8 CVE-2022-28687 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-249-02)
AVEVA Edge 2020 R2 SP1 and all prior versions
Original release date: September 06, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 7.8
o ATTENTION: Low attack complexity
o Vendor: AVEVA
o Equipment: AVEVA Edge 2020 R2 SP1 and all prior versions
o Vulnerabilities: Insufficient UI Warning of Dangerous Operations,
Uncontrolled Search Path Element, Deserialization of Untrusted Data,
Improper Restriction of XML External Entity Reference
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in arbitrary code
execution, information disclosure, or denial of service.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of AVEVA Edge, an industrial software system, are
affected:
o AVEVA Edge: 2020 R2 SP1 and all prior versions
3.2 VULNERABILITY OVERVIEW
3.2.1 INSUFFICIENT UI WARNING OF DANGEROUS OPERATIONS CWE-357
The scripting capability provided by AVEVA Edge is unrestricted; a user could
abuse this to achieve arbitrary code execution.
CVE-2022-36970 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:H/A:H ).
3.2.2 UNCONTROLLED SEARCH PATH ELEMENT CWE-427
A vulnerability exists in AVEVA Edge that could allow a malicious actor with
access to the file system to achieve arbitrary code execution and cause
escalation by tricking AVEVA Edge into loading an unsafe DLL.
CVE-2022-28686 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/
C:H/I:H/A:H ).
3.2.3 UNCONTROLLED SEARCH PATH ELEMENT CWE-427
A vulnerability exists in AVEVA Edge that could allow a malicious actor with
access to the file system to achieve arbitrary code execution and cause
escalation by tricking AVEVA Edge into loading an unsafe DLL.
CVE-2022-28687 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/
C:H/I:H/A:H ).
3.2.4 UNCONTROLLED SEARCH PATH ELEMENT CWE-427
A vulnerability exists in AVEVA Edge that could allow a malicious actor with
access to the file system to achieve arbitrary code execution and cause
escalation by tricking AVEVA Edge into loading an unsafe DLL.
CVE-2022-28688 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:N/S:U/
C:H/I:H/A:H ).
3.2.5 DESERIALIZATION OF UNTRUSTED DATA CWE-502
A vulnerability exists in AVEVA Edge that, if exploited, could allow a user to
tamper with project files to achieve arbitrary code execution.
CVE-2022-28685 has been assigned to this vulnerability. A CVSS v3 base score of
7.8 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:N/UI:R/S:U/
C:H/I:H/A:H ).
3.2.6 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611
This vulnerability, if exploited, could allow a malicious actor to cause a
denial-of-service condition in AVEVA Edge or to extract arbitrary files from
the host running AVEVA Edge.
CVE-2022-36969 has been assigned to this vulnerability. A CVSS v3 base score of
6.6 has been calculated; the CVSS vector string is ( AV:L/AC:L/PR:L/UI:R/S:U/
C:H/I:N/A:H ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: United Kingdom
3.4 RESEARCHER
Chris Anastasio from Incite Team; Piotr Bazydlo, Pedro Ribeiro, and Radek
Domanski from Flashback Team; Daan Keuper and Thijs Alkemade from Computest;
and Aaron Ferber reported these vulnerabilities to Trend Micro Zero Day
Initiative.
4. MITIGATIONS
AVEVA recommends organizations evaluate the impact of these vulnerabilities
based on their operational environment, architecture, and product
implementation.
AVEVA recommends applying security fixes for the affected products:
o For AVEVA Edge 2020 R2 SP1, users should apply security fix HF 2020.2.00.40
(login required) .
o For AVEVA Edge 2020 R2 and all prior versions (formerly known as InduSoft
Web Studio), users should first upgrade to AVEVA Edge 2020 R2 SP1 (login
required) and then apply security fix HF 2020.2.00.40
AVEVA advises the following precautions should be taken throughout the lifetime
of AVEVA Edge projects:
o Access Control Lists (ACLs) should be applied to all folders in which users
save and load project files.
o Maintain a trusted chain-of-custody on project files during creation,
modification, distribution, and use.
o Train users to always verify the source of a project before opening or
executing it.
For additional details, users can refer to the supplied help file in HF
2020.2.00.40 (login required).
For more information on this vulnerability, including security updates, users
should see security bulletin AVEVA-2022-005
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability these vulnerabilities.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage at cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploits specifically target these vulnerabilities. These
vulnerabilities are not exploitable remotely.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYxlEzMkNZI30y1K9AQhpExAAoIayQPTkK2gd0Znj/qkV3YnA+7teaBpJ
mz5yYIfzDdQ8Cg7l24MxNHpmcRWHebKFvYZbceHGKnykHLFBdI96ldqlSUYf6Owh
PpFQ8wjqzMJHQAv5qAi5lVnI4e43X5ts/8YuE/QxoudubpgU4+8cxZqk4ElrJDla
FFjMmVLb4Ijm27q9+wiDKF/lPdkRSAeYdsFkzFEQAZW02jazNZRooQ/K31Vy/npt
1ivyqlxLhLhTPfgFdAn2sHP1RH1WhRn+1dno4RHAy2lrvAZe7YtjUtYSfRP9kG/I
MEzvtBi6G+mtrPKbzfmaCxsn3IeM8YKyPKPM+dV6OoM4v3MZwe+Ku4+OMX4AmjNH
8iDNuzRw24VZ/LQSZXQfK4SkvoFZpi1695X55E8e72CeQS2gIaqGf5j0ZVuG2jZ3
7881YyqNxTucmXPkK54pq5L1brhb1rAAaJdU6mb2rHx6eWkivr0n14xFaN1+psuf
whqDCEOpIEkknfYt7sRKR1owEzBEaf4U5LBZlfnwzDRuuMYeWSzqC+ANRQPv8LCe
iCQjJ06z5g37dPdfmv7vd6HtwF1zzfcdvt0T0TjNtBzGC0OMocI7QhZzfot3Utj+
WTwc5SMnXwN+2JBA+SqNLXLecuYTyAAKXTee8+YqIyrlBjSE5XEtfuh2KadCP1Tv
1kEN5NnYWFs=
=tf1o
-----END PGP SIGNATURE-----