Advantech Fixes WebAccess Holes

Tuesday, October 23, 2018 @ 03:10 PM gHale

Advantech released a new version to mitigate multiple vulnerabilities in its WebAccess, according to a report with NCCIC.

The remotely exploitable vulnerabilities are a stack-based buffer overflow, external control of file name or path, improper privilege management and a path traversal.

RELATED STORIES
OMRON Fixes Holes in CX-Supervisor
LCDS Mitigates Vulnerabilities
NUUO Clears Video Recorder Holes
NUUO Fixes CMS Vulnerabilities

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, access files and perform actions at a privileged level, or delete files on the system.

WebAccess Versions 8.3.1 and prior suffer from the vulnerabilities discovered by Mat Powell of Trend Micro Zero Day Initiative.

Several stack-based buffer overflow vulnerabilities have been identified, which may allow an attacker to execute arbitrary code.

CVE-2018-14816 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, a .dll component is susceptible to external control of file name or path vulnerability, which may allow an arbitrary file deletion when processing.

CVE-2018-14820 is the case number assigned to this vulnerability which has a CVSS v3 base score of 7.5.

Also, an improper privilege management vulnerability has been identified, which may allow an attacker to access those files and perform actions at a system administrator level.

CVE-2018-14828 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.

In addition, a path traversal vulnerability may allow an attacker to execute arbitrary code.

CVE-2018-14806 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

The product sees use mainly in the critical manufacturing, energy, and water and wastewater systems sectors. It also sees action in East Asia, United States, and Europe.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Taiwan-based Advantech released Version 8.3.3 of WebAccess to address the reported vulnerabilities. Users can click here to download the latest version of WebAccess.



Leave a Reply

You must be logged in to post a comment.