Advantech Clears WebAccess Hole

Thursday, October 25, 2018 @ 03:10 PM gHale

Advantech has a new version to mitigate improper access control and stack-based buffer overflow vulnerabilities in its WebAccess, according to a report with NCCIC.

Successful exploitation of these vulnerabilities could allow for arbitrary remote code execution.

Telecrane Fixes F25 Series Vulnerability
GAIN Fixes SAGA1-L Series Holes
Advantech Fixes WebAccess Holes
OMRON Fixes Holes in CX-Supervisor

WebAccess Versions 8.3.2 and prior suffer from the remotely exploitable vulnerabilities, discovered by Mat Powell of Trend Micro’s Zero Day Initiative.

In one vulnerability, during installation, the application installer disables user access control and does not re-enable it after the installation is complete. This could allow an attacker to run elevated arbitrary code.

CVE-2018-17908 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.4.

In addition, the application fails to properly validate the length of user-supplied data, causing a buffer overflow condition that allows for arbitrary remote code execution.

CVE-2018-17910 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.

The product sees use mainly in the critical manufacturing, energy, and water and wastewater systems sectors. It also sees action in East Asia, United States, and Europe.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Taiwan-based Advantech released Version 8.3.3 of WebAccess to address the reported vulnerabilities. Click here to download the latest version of WebAccess.

Leave a Reply

You must be logged in to post a comment.