Advantech released a new version of WebAccess to mitigate a stack-based buffer overflow and an untrusted pointer dereference vulnerability, according to a report with ICS-CERT.
An HMI platform, WebAccess versions prior to V8.2_20170817 suffer from the remotely exploitable vulnerabilities, discovered by Steven Seeley, working with Zero Day Initiative.
Successful exploitation of these vulnerabilities may allow remote code execution.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could exploit the vulnerabilities.
In the overflow issue, the application lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer, which could allow an attacker to execute arbitrary code under the context of the process.
CVE-2017-14016 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.
A remote attacker is able to execute code to dereference a pointer within the program causing the application to become unavailable.
CVE-2017-12719 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
The product sees action mainly in the critical manufacturing, energy, and water and wastewater systems sectors.
It also sees use in the East Asia, United States, and Europe regions.
Taiwan-based Advantech released a new version of WebAccess to address the vulnerabilities. Users can click here to download the latest version of WebAccess.