Advantech has a new version out to mitigate an out of bounds read vulnerability in its WebAccess HMI Designer, according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by Mat Powell of Trend Micro’s Zero Day Initiative (ZDI), may allow an attacker to remotely execute arbitrary code. A Human Machine Interface (HMI) runtime development software, WebAccess HMI Designer Version 184.108.40.206 and prior suffers from the issue.
In the vulnerability, processing specially crafted MCR files lacking proper validation of user supplied data may cause the system to write outside the intended buffer area, allowing remote code execution.
CVE-2019-10961 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.
The product sees use mainly in the critical manufacturing, energy, and water and wastewater systems sectors. It also sees action in East Asia, Europe, and the United States.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.
Taiwan-based Advantech has released Version 220.127.116.11 of WebAccess HMI Designer to address the reported vulnerability.