CVE-2019-6543
📋 TL;DR
CVE-2019-6543 is a critical vulnerability in AVEVA's InduSoft Web Studio and InTouch Edge HMI software where code executes with program runtime privileges, potentially allowing attackers to compromise the entire machine. This affects industrial control systems and SCADA environments using these HMI products. Attackers could gain full control of affected systems.
💻 Affected Systems
- AVEVA InduSoft Web Studio
- AVEVA InTouch Edge HMI (formerly InTouch Machine Edition)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems leading to operational disruption, safety hazards, data theft, or physical damage to industrial processes.
Likely Case
Remote code execution allowing attackers to install malware, steal sensitive industrial data, or disrupt HMI operations.
If Mitigated
Limited impact if systems are isolated, properly segmented, and have additional security controls in place.
🎯 Exploit Status
Exploit code is publicly available and can be executed without authentication. The vulnerability is actively exploited in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: InduSoft Web Studio Version 8.1 SP3 or later; InTouch Edge HMI Version 2017 Update or later
Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01
Restart Required: Yes
Instructions:
1. Download the latest version from AVEVA's official website. 2. Backup current configurations and projects. 3. Install the update following vendor instructions. 4. Restart the system. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected HMI systems from untrusted networks and the internet.
Firewall Rules
allImplement strict firewall rules to limit access to HMI systems only from authorized sources.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from production networks and the internet.
- Deploy additional security controls like application whitelisting, intrusion detection systems, and enhanced monitoring.
🔍 How to Verify
Check if Vulnerable:
Check the software version in the application's About dialog or through Windows Programs and Features.Check Version:
Check via Windows Control Panel > Programs and Features or the application's Help > About menu.Verify Fix Applied:
Verify the installed version matches or exceeds the patched versions: InduSoft Web Studio 8.1 SP3+ or InTouch Edge HMI 2017 Update+.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation, unexpected network connections from HMI software, authentication failures, or privilege escalation attempts.
Network Indicators:
- Unexpected traffic to/from HMI systems, especially on non-standard ports or from unauthorized IP addresses.
SIEM Query:
Example: (process_name:"InduSoft*" OR process_name:"InTouch*") AND (event_type:"process_creation" OR event_type:"network_connection")🔗 References
- https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01
- https://www.exploit-db.com/exploits/46342/
- https://www.tenable.com/security/research/tra-2019-04
- https://ics-cert.us-cert.gov/advisories/ICSA-19-036-01
- https://www.exploit-db.com/exploits/46342/
- https://www.tenable.com/security/research/tra-2019-04
