CVE-2020-13499 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2020-13499?

CVE-2020-13499 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on eDNA Enterprise Data Historian systems via specially crafted SOAP requests to the CHaD.asmx web service. Successful exploitation can lead to complete compromise of the database and potentially the underlying system. Organizations using affected versions of eDNA Enterprise Data Historian are at risk.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on eDNA Enterprise Data Historian systems via specially crafted SOAP requests to the CHaD.asmx web service. Successful exploitation can lead to complete compromise of the database and potentially the underlying system. Organizations using affected versions of eDNA Enterprise Data Historian are at risk.

💻 Affected Systems

Products:

eDNA Enterprise Data Historian

Versions: 3.0.1.2 and 7.5.4989.33053

Operating Systems: Windows (typical deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation of affected versions. The CHaD.asmx web service is typically enabled by default.

📦 What is this software?

Edna Enterprise Data Historian by Aveva

View all CVEs affecting Edna Enterprise Data Historian →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, manipulation, or destruction; potential remote code execution on the database server; full system compromise of the historian server.

🟠

Likely Case

Unauthorized access to sensitive industrial process data, configuration data theft, potential manipulation of historical data affecting operations.

🟢

If Mitigated

Limited impact with proper network segmentation, web application firewalls, and input validation controls in place.

🌐 Internet-Facing: HIGH - The vulnerable web service is typically exposed to networks, and exploitation requires no authentication.

🏢 Internal Only: HIGH - Even internally, the vulnerability can be exploited by any user with network access to the service.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward using standard SQL injection techniques via SOAP requests. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.6.0.0 or later

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-20-254-01

Restart Required: Yes

Instructions:

1. Download and install eDNA Enterprise Data Historian version 7.6.0.0 or later from GE Digital. 2. Apply all security patches and updates. 3. Restart the eDNA services and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to the eDNA historian web services to only trusted hosts and networks.

Configure firewall rules to block external access to port 80/443 on eDNA server
Implement network segmentation using VLANs or separate network zones

Web Application Firewall

all

Deploy a WAF with SQL injection protection rules in front of the eDNA web services.

Configure WAF rules to block SQL injection patterns in SOAP requests
Enable input validation and sanitization rules

🧯 If You Can't Patch

Implement strict network access controls to limit exposure of the vulnerable service
Deploy intrusion detection/prevention systems with SQL injection signatures

🔍 How to Verify

Check if Vulnerable:

Check eDNA version via the web interface or by examining installed software in Windows Programs and Features. If version is 3.0.1.2 or 7.5.4989.33053, the system is vulnerable.

Check Version:

Check Windows registry: HKEY_LOCAL_MACHINE\SOFTWARE\GE\eDNA\Version or examine installed programs list

Verify Fix Applied:

Verify installation of version 7.6.0.0 or later. Test the CHaD.asmx endpoint with SQL injection payloads to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts or SQL errors in web server logs
SOAP requests with SQL keywords in InstancePath parameter

Network Indicators:

Unusual SOAP traffic patterns to CHaD.asmx
SQL injection patterns in HTTP POST requests
Unexpected database connections from web server

SIEM Query:

source="web_logs" AND (url="*CHaD.asmx*" AND (param="*InstancePath*" AND (value="*SELECT*" OR value="*UNION*" OR value="*INSERT*" OR value="*DELETE*")))

📊 Metadata

CVE ID: CVE-2020-13499

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: September 24, 2020

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1106 Exploit,Technical Description,Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-254-01 Third Party Advisory,US Government Resource
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1106 Exploit,Technical Description,Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-254-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-13499, you might also want to check these: