OTPulse
FeedAboutContact

AVEVA Historian Web Server

Plan Patch8.1ICS-CERT ICSA-24-228-10Aug 15, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

This vulnerability in AVEVA Historian allows an authenticated user to execute arbitrary SQL queries against the Historian database through the REST API interface. The flaw is triggered when users click on malicious URLs shared via email or other channels. Successful exploitation grants read and write access to the entire Historian database, potentially allowing an attacker to view, modify, or delete operational history, alarm records, and event logs. The issue affects Historian Server versions 2020 R2 through 2023 R2.

What this means
What could happen
An authenticated user could read and write data directly to the AVEVA Historian database, potentially allowing modification of historical records, alarms, or event logs that operators rely on for process monitoring and compliance reporting.
Who's at risk
Water utilities and electric utilities using AVEVA Historian for real-time process data logging and trending. Affects Historian Server versions 2020 R2 through 2023 R2. Anyone relying on Historian for regulatory compliance records, event auditing, or process trending could be impacted by data tampering.
How it could be exploited
An attacker with valid credentials (or who obtains them through social engineering) could craft a malicious SQL query through the Historian REST API interface and execute it against the backend database to extract or modify operational data without going through normal application controls.
Prerequisites
  • Valid Historian user credentials
  • Network access to the Historian REST API endpoint
  • Knowledge of Historian database schema or ability to discover it
  • User must click a malicious link or visit a crafted URL shared via social engineering
Remotely exploitableAuthenticated users onlyLow complexity attackSQL injection (CWE-89)No patch available for 2023 R2 base version
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (3)
3 pending
ProductAffected VersionsFix Status
Historian Server: 2023_R22023 R2No fix yet
Historian Server: >=2023|<2023_P03≥ 2023|<2023 P03No fix yet
Historian Server: >=2020|<2020_R2_SP1_P01≥ 2020|<2020 R2 SP1 P01No fix yet
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDEducate Historian users to verify the source of URLs shared with them before clicking links, especially from email or chat
HARDENINGRestrict network access to Historian REST API endpoint to trusted engineering workstations only using firewall rules
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade AVEVA System Platform to 2023 R2 P01 or later
HOTFIXFor Historian 2023 versions (up to 2023 P03), upgrade to AVEVA System Platform 2023 P04
HOTFIXFor Historian 2020 R2 through 2020 R2 SP1 P01, upgrade to 2020 R2 SP1 P01 and apply AVEVA Hotfix 3190476
Long-term hardening
0/1
HARDENINGIsolate Historian server and all HMI/engineering workstations from business network using network segmentation
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/6d676e53-29d6-4ee1-9bac-6c28599d7fca
AVEVA Historian Web Server | CVSS 8.1 - OTPulse