17 May 2018

Multiple vulnerabilities closed in Advantech WebAccess

Multiple serious vulnerabilities have been closed in Advantech’s WebAccess SCADA/HMI solution. Their exploitation could lead to sensitive information disclosure, arbitrary code execution and file deletion. The vulnerabilities can be exploited remotely by an attacker without high-level skills.

The security issue affects the following product versions:

  • WebAccess versions V8.2_20170817 and earlier;
  • WebAccess versions V8.3.0 and earlier;
  • WebAccess Dashboard versions V.2.0.15 and earlier;
  • WebAccess Scada Node versions prior to 8.3.1;
  • WebAccess/NMS 2.0.3 and prior.

The vendor has released version 8.3.1, which is not affected by these vulnerabilities.

All in all, the vendor has closed 11 vulnerabilities, the most critical of which (CVSS v.3 base score of 9.8) are path traversal, buffer overflow, improper authorization and untrusted pointer dereference.

Source: ICS-CERT