SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-668530089] Advantech WebAccess

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-11-02OtherAdvantechSteven Seeley, working with Zero Day Initiative, reported the vulnerabilities to ICS-CERT. N/ACVE-2017-1401 CVE-2017-1271 N/AN/AN/A

Source

						
							
								
#
# Advantech WebAccess
#


### VULNERABLE VENDOR
Advantech


### VULNERABLE PRODUCT
WebAccess



### RESEARCHER
Steven Seeley, working with Zero Day Initiative, reported the vulnerabilities to ICS-CERT.



### AFFECTED PRODUCTS

The following versions of WebAccess, an HMI platform, are affected:

WebAccess versions prior to V8.2_20170817



### IMPACT

Successful exploitation of these vulnerabilities may allow remote code execution.



### VULNERABILITY OVERVIEW

STACK-BASED BUFFER OVERFLOW CWE-121
The application lacks proper validation of the length of user-supplied data prior to copying it to a stack-based buffer, which could allow an attacker to execute arbitrary code under the context of the process.
CVE-2017-14016 has been assigned to this vulnerability.
A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)


UNTRUSTED POINTER DEREFERENCE CWE-822
A remote attacker is able to execute code to dereference a pointer within the program causing the application to become unavailable.
CVE-2017-12719 has been assigned to this vulnerability.
A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)





### BACKGROUND

Critical Infrastructure Sectors: Critical Manufacturing, Energy, Water and Wastewater Systems
Countries/Areas Deployed: East Asia, United States, Europe
Company Headquarters Location: Taiwan




### MITIGATION

Advantech has released a new version of WebAccess to address the reported vulnerabilities. Users can download the latest version of WebAccess at the following location (registration required):

http://www.advantech.com/industrial-automation/webaccess