Advantech Fixes WebAccess Vulnerabilities

Monday, July 21, 2014 @ 05:07 PM gHale


Advantech updated its software to mitigate vulnerabilities affecting its WebAccess application, according to a report on ICS-CERT.

The report first came in from the Zero Day Initiative (ZDI) from security researchers Dave Weinstein, Tom Gallagher, John Leitch, and others. These vulnerabilities are remotely exploitable and they are publicly available.

RELATED STORIES
ABB Mitigates OpenSSL Hole
Yokogawa Fixes Buffer Overflow
Malware Analysis from ICS-CERT
Highway Sign Fix: Change Default Password

Advantech WebAcess v7.1 and earlier suffers from the issue.

An attacker exploiting these vulnerabilities in WebAccess may be able to bypass authentication or cause a denial of service (DoS).

Taiwan-based Advantech has distribution offices in 21 countries worldwide.

Advantech WebAccess, formerly known as BroadWin WebAccess, is a web-based SCADA and human-machine interface product used in energy, critical manufacturing, commercial facilities, and government facilities. These systems see action on a global basis.

There are multiple ways to overflow the static stack buffer by providing overly long strings to specific parameters (namely ProjectName, SetParameter, NodeName, CCDParameter, SetColor, AlarmImage, GetParameter, GetColor, ServerResponse, SetBaud, and IPAddress) within the webvact.ocx, dvs.ocx, and webdact.ocx ActiveX files. CVE-2014-2364 is the number assigned to these vulnerabilities, which has a CVSS v2 base score of 7.5.

The bwocxrun ActiveX control (installed by default as part of setup) allows navigation from the Internet to a local file. This occurs through the BrowseFolder method. CVE-2014-2368 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

The ChkCookie subroutine within broadweb\include\gChkCook.asp ActiveX control (installed by default as part of setup) allows navigation from the Internet to a local file. If user, proj, and scada are set, and bwuser is set to true, this will grant access to several previously restricted pages. CVE-2014-2367 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

The upAdminPg.asp component includes the password of the specified account in the underlying HTML when serving the page. CVE-2014-2366 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.0.

Advantech WebAccess contains a flaw that enables a malicious user to arbitrarily create and delete files. CVE-2014-2365 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.5.

An attacker with a moderate skill would be able to exploit these vulnerabilities.

Advantech released a new WebAccess Installation Package v7.2 on June 6 that removes some vulnerable ActiveX components and resolves the vulnerabilities within others. Click here for the download link for v7.2.



Leave a Reply

You must be logged in to post a comment.