Advantech’s New Version of WebAccess

Monday, February 20, 2012 @ 05:02 PM gHale

There are eighteen vulnerabilities in Advantech’s BroadWin WebAccess that include cross-site scripting (XSS), SQL injection, cross-site report forgery (CSRF), and authentication issues.

All vulnerabilities ended up reported separately by the nSense Vulnerability Coordination Team, Greg MacManus of iSIGHT Partners, Kuang-Chun Hung of Security Research and Service Institute−Information and Communication Security Technology Center (ICST), Luigi Auriemma, Billy Rios, Terry McCorkle, and a researcher that uses the alias of Snake.

RELATED STORIES
DLL Hijacking Hole with 7T
Threat Alert Reaches New High
More SCADA, HMI Holes Found
Wonderware Patches Holes
No Dancing Around: Samba Shuts DoS Hole

ICS-CERT coordinated with Advantech, which released a new version of WebAccess that addresses most of the vulnerabilities.

These vulnerabilities affect all versions of Advantech/BroadWin WebAccess prior to applying the patch (V7.0) listed in the mitigations below.

An attacker can bypass authentication, gain administrative privileges, and remotely execute arbitrary code by exploiting these vulnerabilities.

Advantech/BroadWin WebAccess is a web-based human-machine interface product used in energy, manufacturing, and building automation systems. The installation base is across Asia, North America, North Africa, and the Middle East.

WebAccess Client is available for computers running Windows 2000, XP, Vista, and Server 2003. A thin-client interface is available for Windows CE and Windows Mobile 5.0.

CROSS-SITE SCRIPTING
An attacker may use a malformed URL address in a XSS attack to launch JavaScript code. CVE-2012-0233 is the number assigned to this vulnerability.

SQL INJECTION
An attacker can use a malformed URL address to execute an SQL injection attack. CVE-2012-0234 is the number assigned to this vulnerability.

CROSS-SITE REQUEST FORGERY
The web application does not sufficiently verify whether a request intentionally came from the user who submitted the request. CVE-2012-0235 is the number assigned to this vulnerability.

INFORMATION LEAKAGE
An unauthenticated user can access restricted information using specific URL addresses. CVE-2012-0236 is the number assigned to this vulnerability.

UNAUTHORIZED MODIFICATION
This vulnerability suffer from an exploitation by using specifically crafted URL addresses, which allows an unauthenticated user to enable or disable date and time syncing. CVE-2012-0237 is the number assigned to this vulnerability.

STACK-BASED BUFFER OVERFLOW
A stack-based buffer overflow vulnerability exists in opcImg.asp that, when exploited, allows an attacker to remotely execute arbitrary code. CVE-2012-0238 is the number assigned to this vulnerability.

AUTHENTICATION VULNERABILITY
An authentication vulnerability exists in uaddUpAdmin.asp in Advantech’s WebAccess 7.0 — and possibly earlier versions — that, when exploited, allows an attacker to remotely change an administrator’s password. Exploit code is not a requirement to exploit this vulnerability. CVE-2012-0239 is the number assigned to this vulnerability.

AUTHENTICATION VULNERABILITY
An authentication vulnerability exists in GbScriptAddUp.asp that, when exploited, allows an attacker to remotely execute arbitrary code. CVE-2012-0240 is the number assigned to this vulnerability.

ACTIVEX BUFFER OVERFLOW
A long string input to ActiveX parameters will cause a buffer overflow, which might allow remote attackers to execute arbitrary code and gain full control of the server. CVE-2011-4526 is the number assigned to this vulnerability.

BUFFER OVERFLOW
This vulnerability exists because long string input to parameters will cause a buffer overflow, which could allow execution of arbitrary code. CVE-2011-4524 is the number assigned to this vulnerability.

FILE MANIPULATION
An attacker can load any remote web page and write to a local batch file that will allow arbitrary code execution. CVE-2011-4525 is the number assigned to this vulnerability.

SQL INJECTION
This vulnerability exists because string inputs are not checked, allowing attackers to perform SQL injection attacks. CVE-2011-4521 is the number assigned to this vulnerability.

CROSS-SITE SCRIPTING
This vulnerability exists because malicious cross-site scripts end up allowed by parameters of bwerrdn.asp. CVE-2011-4522 is the number assigned to this vulnerability.

CROSS-SITE SCRIPTING
This vulnerability exists because malicious cross-site scripts end up allowed by parameters of bwview.asp. CVE-2011-4523 is the number assigned to this vulnerability.

ARBITRARY MEMORY CORRUPTION
This vulnerability exists because functions end up allowed to corrupt arbitrary memory zones through fully controllable stream identifiers. CVE-2012-0241 is the number assigned to this vulnerability.

FORMAT STRING
A format string vulnerability can suffer exploitation by using a message string without the required format arguments. CVE-2012-0242 is the number assigned to this vulnerability.

ACTIVEX BUFFER OVERFLOW
A component used by WebAccess, bwocxrun.ocx, is vulnerable to a buffer overflow vulnerability due to methods that are capable of creating a arbitrary file in arbitrary location. Exploitation could allow the execution of arbitrary code. CVE-2012-0243 is the number assigned to this vulnerability.

SQL INJECTION
This vulnerability exists because string inputs do not undergo a check upon input, allowing attackers to perform many different SQL injection attacks. CVE-2012-0244 is the number assigned to this vulnerability.

All the vulnerabilities contained in this report are remotely exploitable.

Advantech has created a new version of WebAccess (7.0) that addresses these vulnerabilities. Go to this website for the new version. http://webaccess.advantech.com/downloads.php. Advantech recommends the new version install over the existing installation. If you uninstall the existing version of WebAccess, you must reboot the computer before reinstalling WebAccess. Advantech recommended manufacturers using the WebAccess product refer to security considerations recommended by their installation manual.

ICST, iSIGHT, and ICS-CERT have validated the new version mitigates Vulnerabilities 1 and 5−16. For vulnerabilities 2 and 3, the patched version fixes the issue for unauthenticated users; however, the problem still remains for nonadmin project users. Advantech did not patch vulnerability 4 the company does not consider it to be a security risk. Neither ICS-CERT nor independent researchers have validated the new version resolves vulnerabilities 17 and 18.



Leave a Reply

You must be logged in to post a comment.