Insufficient UI Warning of Dangerous Operations in AVEVA Edge

#VU66774 Insufficient UI Warning of Dangerous Operations in AVEVA Edge

Published: 2022-08-26

Vulnerability identifier: #VU66774

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-36970

CWE-ID: CWE-357

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
AVEVA Edge
Server applications / SCADA systems

Vendor: AVEVA Software, LLC.

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to the user interface fails to provide sufficient indication of the hazard. A remote attacker can trick a victim to open a specially crafted APP file and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

AVEVA Edge: 2020 R2 SP1

External links
http://www.zerodayinitiative.com/advisories/ZDI-22-1129/
http://www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2022-005.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in AVEVA Edge