PatchSiren cyber security CVE debrief

CVE-2024-6456 AVEVA CVE debrief

CVE-2024-6456 is a HIGH severity (CVSS 8.1) SQL injection vulnerability in AVEVA Historian Server, published 2024-08-15. The flaw allows malicious SQL commands to execute under the privileges of an interactive Historian REST Interface user who has been socially engineered into opening a specially crafted URL. The attack vector is network-based with low attack complexity, requiring no privileges but user interaction through social engineering. Successful exploitation can result in high confidentiality and integrity impact, though availability is not affected. The vulnerability affects three product versions: Historian Server 2023 R2, versions from 2023 through 2023 P03, and versions from 2020 R2 through 2020 R2 SP1 P01. AVEVA has provided multiple remediation paths: the recommended fix is upgrading to AVEVA System Platform 2023 R2 P01; alternatively, Historian 2023 through 2023 P03 can be fixed by upgrading to AVEVA System Platform 2023 P04, or Historian 2020 R2 through 2020 R2 SP1 P01 can be fixed by upgrading to AVEVA System Platform 2020 R2 SP1 P01 and applying Hotfix 3190476. Organizations should also implement procedural controls to verify URL sources before opening and consult AVEVA Security Central and NIST SP 800-82r3 for OT security guidance.

Vendor: AVEVA
Product: Historian Server
CVSS: HIGH 8.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-08-15
Original CVE updated: 2024-08-15
Advisory published: 2024-08-15
Advisory updated: 2024-08-15

Who should care

Organizations operating AVEVA Historian Server in industrial environments, particularly those with REST Interface users who may be targeted by social engineering. Critical infrastructure operators, manufacturing facilities, and energy sector deployments using affected versions should prioritize patching given the HIGH severity and potential for data manipulation or unauthorized access to historian data.

Technical summary

CVE-2024-6456 is an SQL injection vulnerability in the AVEVA Historian REST Interface. The vulnerability exists due to insufficient input validation on URL parameters, allowing an attacker to inject malicious SQL commands. Exploitation requires social engineering of an authenticated Historian REST Interface user to open a crafted URL, after which the SQL commands execute with that user's privileges. The CVSS 3.1 score of 8.1 (HIGH) reflects significant confidentiality and integrity impacts with network accessibility and low attack complexity. The vulnerability does not affect availability. Three version ranges are impacted across the 2020 and 2023 product lines. Remediation requires platform upgrades with specific patch levels or hotfix application coordinated through AVEVA support channels.

Defensive priority

HIGH

Recommended defensive actions

Upgrade affected AVEVA Historian Server installations to AVEVA System Platform 2023 R2 P01 as the recommended remediation path
For Historian 2023 through 2023 P03, alternatively upgrade to AVEVA System Platform 2023 P04
For Historian 2020 R2 through 2020 R2 SP1 P01, upgrade to AVEVA System Platform 2020 R2 SP1 P01 and apply Hotfix 3190476 per AVEVA Global Customer Support instructions
Establish and enforce procedures requiring Historian REST Interface users to verify URL sources are trusted before opening
Review and implement defensive measures from NIST SP 800-82r3 Guide to Operational Technology (OT) Security
Monitor AVEVA Security Central for future security updates and bulletins

Evidence notes

CVE description and affected product versions derived from CISA CSAF advisory ICSA-24-228-10. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N confirms network attack vector with user interaction required. Remediation options and upgrade paths sourced from vendor-provided mitigations in CSAF document.

Official resources

2024-08-15