Main Vulnerability Database Vulnerabilities #VU15701

#VU15701 Empty password in configuration file in InTouch Edge HMI and AVEVA Edge - CVE-2018-17914

Published: November 2, 2018

Vulnerability identifier: #VU15701

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-17914

CWE-ID: CWE-258

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
InTouch Edge HMI
AVEVA Edge

Software vendor:
AVEVA Software, LLC.

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use of empty password in configuration file. A remote unauthenticated attacker can execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Update InduSoft Web Studio version 8.1 SP2.
Update InTouch Edge HMI to version 2017 SP2.

External links

https://ics-cert.us-cert.gov/advisories/ICSA-18-305-01

#VU15701 Empty password in configuration file in InTouch Edge HMI and AVEVA Edge - CVE-2018-17914

Description

Remediation

External links

Please verify you're human