AVEVA Enterprise Data Management Web

Plan PatchCVSS 9.6ICS-CERT ICSA-20-254-01Sep 10, 2020

AVEVA

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AVEVA Enterprise Data Management Web versions 2019 and earlier contain a SQL injection vulnerability (CWE-89) that allows a remote attacker with network access to execute arbitrary SQL commands against the underlying database. Successful exploitation could result in unauthorized access, modification, or deletion of operational data, process configurations, or historical records stored in the system. The vulnerability affects all v2019 and earlier versions; v2019 SP1 is stated as not possible in the advisory, indicating upgrade to a later major release may be required.

What this means

What could happen

An attacker with network access to the SQL database could execute arbitrary SQL commands, potentially modifying or deleting critical operational data or process configurations stored in Enterprise Data Management Web.

Who's at risk

Water utilities and electric power providers using AVEVA Enterprise Data Management Web (eDNA Web) v2019 or earlier for supervisory data collection and reporting should evaluate their exposure. This includes organizations that rely on eDNA Web to manage historical data, operator logs, or process setpoints.

How it could be exploited

An attacker with access to the network segment where Enterprise Data Management Web v2019 or earlier is deployed can send malicious SQL queries directly to the affected device. No authentication or special complexity is required—the SQL injection vulnerability allows commands to be executed against the underlying database.

Prerequisites

Network access to the Enterprise Data Management Web server
Device running v2019 or earlier (not patched to SP1 or later)
Database port accessible from attacker's network location

Remotely exploitable (network access required)No authentication required for SQL injectionLow complexity attackHigh CVSS score (9.6)Low EPSS score (0.3%) — not currently a widespread active threatAffects data integrity and availability of operational records

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

Enterprise Data Management Web: v2019 and prior≤ 20192019 SP1 is not possible

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to Enterprise Data Management Web to authorized engineering and operations workstations only; do not expose the device to the Internet or the general business network

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to AVEVA Enterprise Data Management Web v2019 SP1 or later as soon as possible

HOTFIXIf upgrade to v2019 SP1 is not immediately possible, contact AVEVA Global Customer Support to obtain a hot-fix for eDNA Web v2018 SP2

Long-term hardening

0/2

HARDENINGIsolate the control system network segment containing Enterprise Data Management Web behind a firewall with explicit allow rules for only necessary connections

HARDENINGIf remote access to the device is required, use a VPN with current security patches and restrict VPN access to specific users with a business need

CVEs (3)

CVE-2020-13499 CVE-2020-13500 CVE-2020-13501

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5db68054-2616-4fd0-b464-a892c3f31892

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.