Advantech Fixes Multi WebAccess Holes

Tuesday, January 19, 2016 @ 09:01 AM gHale


Advantech created a new version to mitigate a boatload of vulnerabilities in its WebAccess application, according to a report on ICS-CERT.

Ivan Sanchez — who discovered some of the vulnerabilities along with Ilya Karpov of Positive Technologies, Andrea Micalizzi, Ariele Caltabiano, Fritz Sands, Steven Seeley, and an anonymous researcher — tested the new version to validate it resolves the vulnerabilities which he reported.

RELATED STORIES
Siemens Fixes RUGGEDCOM Holes
Schneider Fixes Modicon Vulnerability
No Updates for MOSCAD Issues
Most eWON Vulnerabilities Mitigated

Quite a few of the 15 remotely exploitable vulnerabilities ended up reported through the Zero Day Initiative (ZDI) and iDefense.

WebAccess Version 8.0 and prior versions suffer from the issues.

An attacker who exploits these vulnerabilities may be able to upload, create, or delete arbitrary files on the target system, deny access to valid users, or remotely execute arbitrary code.

Taiwan-based Advantech has distribution offices in 21 countries worldwide.

The affected product, WebAccess, formerly known as BroadWin WebAccess, is a web-based SCADA and human-machine interface (HMI) product. According to Advantech, WebAccess sees action across several sectors including commercial facilities, critical manufacturing, energy, and government facilities. Advantech said these products see use on a global basis.
1) In one vulnerability, the software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.

CVE-2016-0851 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

2) In another issue, an attacker could upload or create arbitrary files on the server without authentication or constraint.

CVE-2016-0854 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

3) In another case, the virtual directory created by WebAccess can end up browsed anonymously without authentication.

CVE-2016-0855 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

4) In addition, there are instances where the buffer on the stack can end up overwritten.

CVE-2016-0856 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

5) There are conditions in which more space than allocated can end up written to the heap.

CVE-2016-0857 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

6) In yet another vulnerability, a specially crafted request can cause a buffer overflow in a shared virtual memory area.

CVE-2016-0858 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

7) Also, an attacker can send a crafted RPC request to the Kernel service to cause a stack-based buffer overflow.

CVE-2016-0859 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

8) Additionally, an attacker can send a crafted RPC request to the BwpAlarm subsystem to cause a buffer overflow on global variables.

CVE-2016-0860 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

9) In one more case, normal and remote users have access to files and folders that only administrators should have access to.

CVE-2016-0852 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

10) One more vulnerability on the list has input validation vulnerabilities which could allow an attacker to gain sensitive information from the target system.

CVE-2016-0853 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

11) In addition, the web server does not filter user input correctly, allowing a malicious user to initiate a cross-site scripting vulnerability.

CVE-2015-3948 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

12) A SQL injection vulnerability on web server settings, accounts, and projects may end up modified through scripted commands.

CVE-2015-3947 is the case number assigned to this vulnerability which has a CVSS v3 base score of 6.4.

13) In addition, the web server accepts commands via specific scripts that imitate trusted accounts.

CVE-2015-3946 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.4.

14) Also, WebAccess can end up running remote code through the use of a browser plug-in.

CVE-2015-6467 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.

15) In the final vulnerability, email project accounts end up stored in clear text.

CVE-2015-3943 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Advantech released a new version of WebAccess, Version 8.1, to address the reported vulnerabilities. This new version is available on the Advantech website.



Leave a Reply

You must be logged in to post a comment.