CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
57.4%
Successful exploitation of these vulnerabilities could result in arbitrary code execution, information disclosure, or denial of service.
The following versions of AVEVA Edge, an industrial software system, are affected:
The scripting capability provided by AVEVA Edge is unrestricted; a user could abuse this to achieve arbitrary code execution.
CVE-2022-36970 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A vulnerability exists in AVEVA Edge that could allow a malicious actor with access to the file system to achieve arbitrary code execution and cause escalation by tricking AVEVA Edge into loading an unsafe DLL.
CVE-2022-28686 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A vulnerability exists in AVEVA Edge that could allow a malicious actor with access to the file system to achieve arbitrary code execution and cause escalation by tricking AVEVA Edge into loading an unsafe DLL.
CVE-2022-28687 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A vulnerability exists in AVEVA Edge that could allow a malicious actor with access to the file system to achieve arbitrary code execution and cause escalation by tricking AVEVA Edge into loading an unsafe DLL.
CVE-2022-28688 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A vulnerability exists in AVEVA Edge that, if exploited, could allow a user to tamper with project files to achieve arbitrary code execution.
CVE-2022-28685 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
This vulnerability, if exploited, could allow a malicious actor to cause a denial-of-service condition in AVEVA Edge or to extract arbitrary files from the host running AVEVA Edge.
CVE-2022-36969 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H).
Chris Anastasio from Incite Team; Piotr Bazydło, Pedro Ribeiro, and Radek Domanski from Flashback Team; Daan Keuper and Thijs Alkemade from Computest; and Aaron Ferber reported these vulnerabilities to Trend Micro Zero Day Initiative.
AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
AVEVA recommends applying security fixes for the affected products:
AVEVA advises the following precautions should be taken throughout the lifetime of AVEVA Edge projects:
For additional details, users can refer to the supplied help file in HF 2020.2.00.40 (login required).
For more information on this vulnerability, including security updates, users should see security bulletin AVEVA-2022-005
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28687
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28688
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36969
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36970
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36970
cisa.gov/ics
cisa.gov/ics
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-22-249-02
cwe.mitre.org/data/definitions/357.html
cwe.mitre.org/data/definitions/427.html
cwe.mitre.org/data/definitions/427.html
cwe.mitre.org/data/definitions/427.html
cwe.mitre.org/data/definitions/502.html
cwe.mitre.org/data/definitions/611.html
nvd.nist.gov/vuln/detail/CVE-2022-28685
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
softwaresupportsp.aveva.com/#/producthub/details?id=e1598a96-31e2-4370-c17c-08da7168e83a
softwaresupportsp.aveva.com/#/producthub/details?id=e1598a96-31e2-4370-c17c-08da7168e83a
softwaresupportsp.aveva.com/#/producthub/details?id=f03eb16e-2ca0-41a0-8998-08d99cd36dd5
twitter.com/CISAgov
twitter.com/intent/tweet?text=AVEVA%20Edge%202020%20R2%20SP1%20and%20all%20prior%20versions+https://www.cisa.gov/news-events/ics-advisories/icsa-22-249-02
us-cert.cisa.gov/ics/Recommended-Practices
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.aveva.com/content/dam/aveva/documents/support/cyber-security-updates/SecurityBulletin_AVEVA-2022-005.pdf
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-22-249-02&title=AVEVA%20Edge%202020%20R2%20SP1%20and%20all%20prior%20versions
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-22-249-02
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=AVEVA%20Edge%202020%20R2%20SP1%20and%20all%20prior%20versions&body=www.cisa.gov/news-events/ics-advisories/icsa-22-249-02