CVE-2021-42796: 
NixOS vulnerability analysis and mitigation

An issue was discovered in ExecuteCommand() in AVEVA Edge (formerly InduSoft Web Studio) versions R2020 and prior that allows unauthenticated arbitrary commands to be executed. The vulnerability, tracked as CVE-2021-42796, affects AVEVA Edge's runtime environment and was disclosed in November 2022 (CISA Advisory).

The vulnerability is classified as an Improper Access Control (CWE-284) issue that allows unauthenticated arbitrary commands to be executed with the security context of the StADOSvr.exe process. In most instances, this will be executed under a standard-privileged user account under which the AVEVA Edge runtime was started. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with the vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CISA Advisory).

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands with the privileges of the AVEVA Edge runtime process. If the runtime was configured to run under a high-privileged service account, the impact could be more severe (CISA Advisory).

AVEVA recommends users of AVEVA Edge (formerly known as InduSoft Web Studio) up to 2020 R2 SP1 w/ HF 2020.2.00.40 to apply AVEVA Edge 2020 R2 SP2 as soon as possible. Additionally, CISA recommends minimizing network exposure for control system devices, ensuring they are not accessible from the Internet, and locating control system networks and remote devices behind firewalls isolated from business networks (CISA Advisory).