13 April 2020

Multiple vulnerabilities in Advantech WebAccess/NMS

Multiple vulnerabilities have been identified in Advantech’s WebAccess/NMS (all versions prior to 3.0.2), a network monitoring system used for device control, setup and monitoring. Exploiting these vulnerabilities could enable an attacker to execute arbitrary code remotely, upload or delete files, cause a denial-of-service condition or create an admin account for the application.

The most dangerous of the vulnerabilities are CVE-2020-10621 and CVE-2020-10631, for which CVSS v.3 base scores of 9.8 and 9.1, respectively, were calculated. The former allows potentially dangerous files to be uploaded, the latter is a Path Traversal vulnerability, which can potentially enable attackers to access files (including reading and deleting them) outside the application’s control, via a specially crafted URL. Another Path Traversal vulnerability, CVE-2020-10619, also allows an attacker to delete files. It has been assigned a CVSS v.3 base score of 8.2.

WebAccess/NMS is also affected by an OS command injection flaw (CVE-2020-10603) and SQL injection vulnerabilities – CVE-2020-10617 and CVE-2020-10623. The CVSS v.3 base scores calculated for these vulnerabilities are 8.8, 7.5, and 6.5, respectively.

Finally, an XXE vulnerability (CVE-2020-10629) and a Missing Authentication for Critical Function vulnerability (CVE-2020-10625), which allows an attacker to create a new admin account, have been identified in WebAccess/NMS. Both these flaws have been assigned a CVSS v.3 base score of 7.5.

To close the above vulnerabilities, the vendor recommends updating the solution to version 3.0.2.

Source: ICS-CERT