Advantech WebAccess 8.x < 8.1 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9862

Synopsis

The detected version of Advantech WebAccess may be affected by multiple attack vectors.

Description

The installed version of Advantech WebAccess is 8.x prior to 8.1 and is affected by the following vulnerabilities :

- Multiple overflow conditions exist in 'BwpAlarm.dll' that are triggered as user-supplied input is not properly validated when handling various IOCTL system calls. With a specially crafted request to the webvrpcs service, a remote attacker can cause a stack-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
- An overflow condition exists in 'WaDBS.dll' that is triggered as user-supplied input is not properly validated when handling IOCTL 0x13C7C and the 'TagName' parameter. With a specially crafted request to the webvrpcs service, a remote attacker can cause a stack-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
- An overflow condition exists in 'BwBASScdDl.dll' that is triggered as user-supplied input is not properly validated when handling IOCTL 0x138B4 and the 'TargetHost' parameter. With a specially crafted request to the webvrpcs service, a remote attacker can cause a stack-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
- An overflow condition exists in 'BwOpcSvc.dll' that is triggered as user-supplied input is not properly validated when handling IOCTL 0x13895 and the 'WindowName' parameter. With a specially crafted request to the webvrpcs service, a remote attacker can cause a stack-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
- Multiple overflow conditions exist in 'BwKrlApi.dll' that are triggered as user-supplied input is not properly validated when handling various IOCTL system calls. With a specially crafted request to the webvrpcs service, a remote attacker can cause a stack-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
- Multiple overflow conditions exist in 'ViewSrv.dll' that are triggered as user-supplied input is not properly validated when handling various IOCTL system calls. With a specially crafted request to the webvrpcs service, a remote attacker can cause a stack-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
- Multiple overflow conditions exist in 'DrawSrv.dll' that are triggered as user-supplied input is not properly validated when handling various IOCTL system calls. With a specially crafted request to the webvrpcs service, a remote attacker can cause a stack-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
- An overflow condition exists in 'ViewDll.dll' that is triggered as user-supplied input is not properly validated when handling IOCTL 0x280B. With a specially crafted request to the webvrpcs service, a remote attacker can cause a stack-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
- Multiple overflow conditions exist in 'datacore.exe' that are triggered as user-supplied input is not properly validated when handling various IOCTL system calls. With a specially crafted request to the datacore service, a remote attacker can cause a stack-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
- A flaw exists that is triggered as file types and extensions for uploaded files are not properly validated by the Dashboard Viewer 'UploadAjaxAction' script before being placed in a user-accessible path. This may allow a remote attacker to upload e.g. an arbitrary file and then request it in order to execute arbitrary code with SYSTEM privileges.
- A flaw exists that is triggered as file types and extensions for uploaded files are not properly validated by the Dashboard Viewer 'SaveGeneralFile' script before being placed in a user-accessible path. This may allow a remote attacker to upload e.g. an arbitrary file and then request it in order to execute arbitrary code with SYSTEM privileges.
- A flaw exists in Dashboard Viewer that allows traversing outside of a restricted path. The issue is due to the 'removeFolder' script not properly sanitizing user input, specifically path traversal style attacks (e.g. '../'). With a specially crafted request, a remote attacker can delete, rename, overwrite, and read arbitrary directories on the system.

Solution

Upgrade to Advantech WebAccess version 8.1 or later.

See Also

https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01

http://www.securityweek.com/advantech-failed-patch-serious-flaws-scada-product

Plugin Details

Severity: Critical

ID: 9862

Family: SCADA

Published: 1/11/2017

Updated: 3/6/2019

Nessus ID: 89111

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:advantech:advantech_webaccess

Patch Publication Date: 12/21/2015

Vulnerability Publication Date: 1/14/2016

Exploitable With

Metasploit (windows/scada/advantech_webaccess_dashboard_file_upload.rb)

Reference Information

CVE: CVE-2016-0854, CVE-2016-0855, CVE-2016-0856, CVE-2016-0857, CVE-2016-0860

BID: 80745