AVEVA Historian Web Server

Plan PatchCVSS 8.1ICS-CERT ICSA-24-228-10Aug 15, 2024

AVEVA

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

This vulnerability in AVEVA Historian allows an authenticated user to execute arbitrary SQL queries against the Historian database through the REST API interface. The flaw is triggered when users click on malicious URLs shared via email or other channels. Successful exploitation grants read and write access to the entire Historian database, potentially allowing an attacker to view, modify, or delete operational history, alarm records, and event logs. The issue affects Historian Server versions 2020 R2 through 2023 R2.

What this means

What could happen

An authenticated user could read and write data directly to the AVEVA Historian database, potentially allowing modification of historical records, alarms, or event logs that operators rely on for process monitoring and compliance reporting.

Who's at risk

Water utilities and electric utilities using AVEVA Historian for real-time process data logging and trending. Affects Historian Server versions 2020 R2 through 2023 R2. Anyone relying on Historian for regulatory compliance records, event auditing, or process trending could be impacted by data tampering.

How it could be exploited

An attacker with valid credentials (or who obtains them through social engineering) could craft a malicious SQL query through the Historian REST API interface and execute it against the backend database to extract or modify operational data without going through normal application controls.

Prerequisites

Valid Historian user credentials
Network access to the Historian REST API endpoint
Knowledge of Historian database schema or ability to discover it
User must click a malicious link or visit a crafted URL shared via social engineering

Remotely exploitableAuthenticated users onlyLow complexity attackSQL injection (CWE-89)No patch available for 2023 R2 base version

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (3)

3 pending

ProductAffected VersionsFix Status

Historian Server: 2023_R22023 R2No fix yet

Historian Server: >=2023|<2023_P03≥ 2023|<2023 P03No fix yet

Historian Server: >=2020|<2020_R2_SP1_P01≥ 2020|<2020 R2 SP1 P01No fix yet

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDEducate Historian users to verify the source of URLs shared with them before clicking links, especially from email or chat

HARDENINGRestrict network access to Historian REST API endpoint to trusted engineering workstations only using firewall rules

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade AVEVA System Platform to 2023 R2 P01 or later

HOTFIXFor Historian 2023 versions (up to 2023 P03), upgrade to AVEVA System Platform 2023 P04

HOTFIXFor Historian 2020 R2 through 2020 R2 SP1 P01, upgrade to 2020 R2 SP1 P01 and apply AVEVA Hotfix 3190476

Long-term hardening

0/1

HARDENINGIsolate Historian server and all HMI/engineering workstations from business network using network segmentation

CVEs (1)

CVE-2024-6456

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6d676e53-29d6-4ee1-9bac-6c28599d7fca

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.