Advantech Working to Fix HMI Holes

Tuesday, April 24, 2018 @ 06:04 PM gHale

Advantech is working on a mitigation for heap-based buffer overflow, double free, out-of-bounds write vulnerabilities in its WebAccess HMI Designer, according to a report with ICS-CERT.

Human Machine Interface (HMI) runtime development software, Advantech WebAccess HMI Designer, Version 2.1.7.32 and prior suffer from the remotely exploitable vulnerabilities, discovered by Steven Seeley of Source Incite working with Trend Micro’s Zero Day Initiative (ZDI).

RELATED STORIES
Siemens Mitigation Plan for Simatic App
Abbott Updates Defibrillator
Biosense Fixes System Vulnerabilities
Schneider Software Plan for InduSoft, InTouch Hole

Successful exploitation of these vulnerabilities may allow an attacker to remotely execute arbitrary code.

Heap-based buffer overflow vulnerabilities caused by processing specially crafted .pm3 files may allow remote code execution.

CVE-2018-8833 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.

In addition, double free vulnerabilities caused by processing specially crafted .pm3 files may allow remote code execution.

CVE-2018-8835 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.

Also, processing specially crafted .pm3 files may cause the system to write outside the intended buffer area and may allow remote code execution.

CVE-2018-8837 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.

The product sees use mainly in the critical manufacturing, energy, and water and wastewater systems. It also sees action in East Asia, United States, and Europe.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

NCCIC is working with Advantech to provide mitigation steps to resolve the issues.



Leave a Reply

You must be logged in to post a comment.