Advantech has new products that address the multiple vulnerabilities in its WISE-PaaS/RMM, according to a report from CISA.
The vulnerabilities are a path traversal, missing authorization, improper restriction of XML external entity reference, and a SQL injection. Successful exploitation of these remotely exploitable vulnerabilities, discovered by rgod of 9sg Security Team and trendytofu working with Trend Micro’s Zero Day Initiative, may allow information disclosure, remote code execution, and compromise system availability.
Advantech said it phased out its WISE-PaaS/RMM in July and replaced it with EdgeSense and DeviceOn.
An IoT device remote monitoring and management platform, WISE-PaaS/RMM Versions 3.3.29 and prior suffer from the issues.
In one vulnerability, there is a path traversal issue caused by a lack of proper validation of a user-supplied path prior to use in file operations. An attacker can leverage these vulnerabilities to remotely execute code while posing as an administrator.
CVE-2019-13551 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In addition, there is an unsecured function that allows anyone who can access the IP address to use the function without authentication.
CVE-2019-13547 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
Also, XXE vulnerabilities exist that may allow disclosure of sensitive data.
CVE-2019-18227 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, there is a lack of sanitization of user-supplied input cause SQL injection vulnerabilities. An attacker can leverage these vulnerabilities to disclose information.
CVE-2019-18229 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.
The product sees use mainly in the critical manufacturing, energy, and water sectors. It also sees action in East Asia, Europe, and the United States.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Taiwan-based Advantech phased out WISE-PaaS/RMM in July of 2019 and replaced this product with EdgeSense and DeviceOn. Advantech has provided notification to their PSM’s, sales managers, RSM’s and partners of the phase out to replace the old WISE-PaaS/RMM software bundle with EdgeSense and DeviceOn.