Taiwan-based Advantech was unable to verify the validity of a heap-based buffer overflow vulnerability in its WebOP product, according to a report with ICS-CERT.
Researchers report all versions of Advantech WebOP operator panels suffer from the issue, discovered by Ariele Caltabiano (kimiya) working with Trend Micro’s Zero Day Initiative (ZDI).
Successful exploitation of this vulnerability could cause the target device to crash and may allow arbitrary code execution.
Public exploits specifically target this vulnerability. This vulnerability is not remotely exploitable. However, an attacker with low skill level would be able to exploit the vulnerability.
A maliciously crafted project file may be able to trigger a heap-based buffer overflow, which may crash the process and allow an attacker to execute arbitrary code.
CVE-2017-12705 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.8.
The product sees use mainly in the critical manufacturing sector. It also sees action in North America and East Asia.
ZDI recommends this product be restricted to interact with trusted files only.