Pierluigi Paganini April 04, 2019

Industrial automation firm Advantech addressed several serious vulnerabilities in its WebAccess SCADA software.

WebAccess is a browser-based software package for human-machine interfaces (HMI) and SCADA systems developed by Advantech.

The vulnerabilities affect WebAccess/SCADA Versions 8.3.5 and prior.

The software is widely adopted in many sectors worldwide, such as critical manufacturing, energy, and water and wastewater.

The vulnerabilities were reported to NCCIC by researchers Mat Powell and Natnael Samson (@NattiSamson) through Trend Micro’s Zero Day Initiative (ZDI).

The WebAccess is affected by three types of vulnerabilities, including two critical remote code execution flaws and one “high severity” denial-of-service (DoS) issue.

Below the flaws reported by the US ICS-CERT:

• IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77 – Multiple command injection vulnerabilities, caused by a lack of proper validation of user-supplied data, may allow remote code execution. CVE-2019-6552 has been assigned to these vulnerabilities. 
• STACK-BASED BUFFER OVERFLOW CWE-121 – Multiple stack-based buffer overflow vulnerabilities, caused by a lack of proper validation of the length of user-supplied data, may allow remote code execution.
  CVE-2019-6550 has been assigned to these vulnerabilities.
• IMPROPER ACCESS CONTROL CWE-284 – An improper access control vulnerability may allow an attacker to cause a denial-of-service condition. CVE-2019-6554 has been assigned to this vulnerability.

The vulnerabilities were reported to the vendor in January that addressed them with the release of version 8.4.0 of WebAccess.

Pierluigi Paganini

(SecurityAffairs – Advantech, WebAccess)

[adrotate banner=”5″]

[adrotate banner=”13″]