Full Report
AVEVA Wonderware System Platform vulnerability leading to Unauthorized Access to Credentials.
Analysis Summary
# Vulnerability: AVEVA Wonderware System Platform Unauthorized Access to Credentials
## CVE Details
- **CVE ID:** CVE-2019-6525
- **CVSS Score:** 8.8 (High) - *Note: While the article text displays 0.0, the provided vector string [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H] calculates to 8.8.*
- **CWE:** CWE-255 (Credentials Management) / CWE-522 (Insufficiently Protected Credentials)
## Affected Systems
- **Products:** AVEVA Wonderware System Platform
- **Versions:** 2017 Update 2 and all prior versions.
- **Configurations:** Systems utilizing the ArchestrA Network User Account for inter-node communication and platform management.
## Vulnerability Description
The vulnerability exists within the ArchestrA service environment. It allows an authenticated user with low privileges to gain unauthorized access to the credentials of the **ArchestrA Network User Account**. This account is highly sensitive as it is typically used to manage administrative processes and communications across the entire System Platform topology.
## Exploitation
- **Status:** Unknown (No public PoC listed in the advisory).
- **Complexity:** Low
- **Attack Vector:** Network (Targeted via the network by an authenticated user).
## Impact
- **Confidentiality:** High (Full exposure of administrative service account credentials).
- **Integrity:** High (Attacker can use credentials to modify system configurations).
- **Availability:** High (Attacker can use credentials to disrupt industrial processes or shut down services).
## Remediation
### Patches
- **System Platform 2017 Update 3:** Users are advised to upgrade to this version (or later) to mitigate the vulnerability.
### Workarounds
- **Least Privilege:** Ensure that only trusted personnel have localized or network access to the nodes where Wonderware services are running.
- **Account Segregation:** Use unique, complex passwords for the ArchestrA Network User Account and rotate them immediately after applying the patch.
## Detection
- **Indicators of Compromise:** Monitor for unusual login activity or process execution under the context of the ArchestrA Network User Account from unexpected source IPs.
- **Detection methods:** Audit Windows Event Logs for Security events related to credential access and service account authentication.
## References
- **Vendor Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2019/03/01/klcert-19-002-avea-wonderware-system-platform-vulnerability-unauthorized-access-to-credentials/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-6525
- **CVE Calculator:** hxxps[://]www[.]first[.]org/cvss/calculator/3.1#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H