Advantech Mitigates WebAccess/SCADA Holes

Thursday, January 24, 2019 @ 03:01 PM gHale

Advantech released a new version to mitigate an improper authentication, authentication bypass, and SQL injection with its WebAccess/SCADA, according to a report with NCCIC.

Successful exploitation of these vulnerabilities may allow an attacker to access and manipulate sensitive data.

RELATED STORIES
Moxa Clears 7 Zero Days: Report
Johnson Controls Fixes Facility Explorer
Dräger Fixes Infinity Delta Holes
ControlByWeb X-320M Releases New Firmware

A SCADA software platform, WebAccess/SCADA Version 8.3 suffers from the remotely exploitable vulnerabilities, discovered by Devesh Logendran of Attila Cybertech Pte. Ltd.

In one issue, an improper authentication vulnerability exists that could allow a possible authentication bypass allowing an attacker to upload malicious data.

CVE-2019-6519 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, specially crafted requests could allow a possible authentication bypass that could allow an attacker to obtain and manipulate sensitive information.

CVE-2019-6521 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.

Also, the software does not properly sanitize its inputs for SQL commands.

CVE-2019-6523 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

The product sees use in the critical manufacturing, energy, and water and wastewater systems sectors. The product sees action in East Asia, United States, and Europe.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Taiwan-based Advantech released Version 8.3.5 of WebAccess/SCADA to address the reported vulnerabilities. Users can download the latest version of WebAccess/SCADA.



Leave a Reply

You must be logged in to post a comment.