26 April 2018

Vulnerabilities in Advantech WebAccess HMI Designer

Dangerous vulnerabilities have been identified in Advantech WebAccess HMI Designer, a SCADA/HMI development solution. Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code on a target system using specially crafted .pm3 files. Processing such files may result in heap-based buffer overflow (CVE-2018-8833), double-free condition (CVE-2018-8835) and out-of-bounds write (CVE-2018-8837).

The vulnerabilities affect all versions of the software up to 2.1.7.32 (inclusive). Their severity is rated as medium (CVSS v.3 base score of 6.3).

Advantech is working on a solution for this issue.

Source: ICS-CERT