Advantech released new software to mitigate a path traversal and a SQL injection in its WebAccess/SCADA product, according to a report with ICS-CERT.
A SCADA software platform, WebAccess/SCADA versions prior to V8.2_20170817 suffer from the remotely exploitable vulnerabilities, discovered by rgod working with Trend Micro’s Zero Day Initiative.
Successful exploitation of these vulnerabilities could allow sensitive information to be disclosed from the target or database without authentication.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
In one vulnerability, an attacker has read access to files within the directory structure of the target device.
CVE-2018-5445 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
In addition, WebAccess/SCADA does not properly sanitize its inputs for SQL commands.
CVE-2018-5443 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product sees action mainly in the critical manufacturing, energy, and Water and Wastewater Systems sectors. It also sees use in East Asia, United States and Europe.
Taiwan-based Advantech released a version 8.3.0 of WebAccess/SCADA to address the reported vulnerabilities. Users can download the latest version of WebAccess/SCADA (registration required).