Advantech had a slew of vulnerabilities released this week ranging from buffer overflows to a command injection, according to a series of reports on ICS-CERT.
For one of the buffer overflows, Advantech created a new version of WebAccess to fix the vulnerability, discovered by Ricardo Narvaja from Core Security Consulting Services. Advantech has produced a new version of WebAccess that does not have this vulnerability when installed on a machine that did not have a previous version of WebAccess.
WebAccess 7.2 and previous suffer from the issue.
An attacker exploiting this vulnerability may have the ability to execute arbitrary code on the target system.
Advantech is based in Taiwan and has distribution offices in 21 countries worldwide.
Advantech WebAccess, formerly known as BroadWin WebAccess, is a web-based SCADA and human-machine interface product deployed globally across several sectors including energy, critical manufacturing, commercial facilities, and government facilities.
The vulnerability ends up caused by a stack buffer overflow when parsing the ip_address parameter. A malicious third party could trigger execution of arbitrary code within the context of the application or otherwise crash the whole application. This occurs because the application copies strings to the stack without checking length.
CVE-2014-8388 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.2.
This vulnerability is not exploitable remotely and cannot end up exploited without user interaction. The exploit only triggers when a local user runs the vulnerable application and loads the malformed html file.
No known public exploits specifically target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.
Advantech has created a new version (8.0) to mitigate this vulnerability. Users can click here to download the patch.
For additional information about WebAccess, click here.
Core Security also said if users upgrade to WebAccess 8.0, they must also delete the vulnerable “webeye.ocx” from their system, or uninstall the previous version before installing WebAccess 8.0. The company recommends users avoid opening untrusted .html files. Core Security also recommends the use of third-party software to help prevent the exploitation of affected systems.
There is a public report and proof-of-concept exploit code released regarding the command injection vulnerability in Advantech’s EKI-6340, a wireless mesh access point used in industrial control systems.
The vulnerability is the result of incorrect sanitization of input parameters. The report released following coordination with the vendor and ICS-CERT.
Facundo Pantaleo and Flavio Cangini from Core Security Engineering Team discovered this command injection vulnerability. Advantech decided not to fix this vulnerability in the EKI-6340 series, as the company will soon discontinue it.
The Advantech EKI-6340 series are wireless mesh access points for outdoor deployment. It most commonly sees use in infrastructures where wired solutions are hard to deploy. The product deploys across several sectors including energy and commercial facilities.
The security researchers from Core Security recommend the following mitigation steps:
• Change the “guest” user password (or delete the user in case it’s not used)
• Edit the fshttpd.conf and remove the line “guest_allow=/cgi/ping.cgi”
• Check that the “admin” user doesn’t have the default password as well
In another vulnerability, there is a public report of a buffer overflow vulnerability with proof-of-concept (PoC) exploit code affecting Advantech’s AdamView, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product.
The vulnerability ends up caused by incorrect sanitization of input parameters. The report was released following coordination with the vendor and ICS-CERT.
Daniel Kazimirow and Fernando Paez from Core Security Engineering Team discovered this buffer overflow vulnerability AdamView V4.3. Advantech decided not to fix this vulnerability in AdamView, as the company has not supported it for a period of time.
AdamView is an HMI Software for Data Acquisition software package for HMI and SCADA. The product works globally across several sectors including energy and commercial facilities.
Core Security recommends users avoid opening untrusted .gni files. They also recommend the use of third-party software to prevent the exploitation of affected systems.