Full Report
Multiple serious vulnerabilities have been closed in Advantech’s WebAccess SCADA/HMI solution. Their exploitation could lead to sensitive information disclosure, arbitrary code execution and file deletion.
Analysis Summary
Based on the analysis of the security advisory regarding Advantech WebAccess, here is the summarized vulnerability information.
# Vulnerability: Multiple Critical Flaws in Advantech WebAccess SCADA/HMI
## CVE Details
- **CVE ID:** CVE-2017-16720, CVE-2017-16722, CVE-2017-16724, CVE-2018-7490, CVE-2018-8833, CVE-2018-8837, CVE-2018-8839, CVE-2018-8841, CVE-2018-8845, CVE-2018-8849
- **CVSS Score:** Up to 9.8 (Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-287 (Improper Authentication), CWE-426 (Untrusted Search Path), CWE-73 (External Control of File Name or Path)
## Affected Systems
- **Products:** Advantech WebAccess
- **Versions:** All versions prior to V8.3
- **Configurations:** Systems running the WebAccess Node or Dashboard components exposed to network traffic.
## Vulnerability Description
The vulnerabilities encompass a wide range of technical flaws within the SCADA/HMI software architecture:
1. **Stack-based Buffer Overflows:** Several processing functions failed to properly validate input length, allowing attackers to overwrite memory.
2. **Untrusted Search Path:** The application may load DLLs from unauthorized paths, leading to privilege escalation.
3. **Insecure Direct Object References:** Flaws in how the system handles file paths allowed for unauthorized file deletion and sensitive information disclosure via directory traversal.
4. **Authentication Bypass:** Weaknesses in the authentication mechanism allowed remote attackers to gain unauthorized access to administrative functions.
## Exploitation
- **Status:** PoC available (Several of these flaws were identified via Pwn2Own and subsequent security research).
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Disclosure of sensitive SCADA configuration and credentials)
- **Integrity:** High (Unauthorized modification of HMI files and arbitrary code execution)
- **Availability:** High (Potential for system crashes or intentional deletion of critical system files)
## Remediation
### Patches
- **Advantech WebAccess V8.3:** All identified vulnerabilities are addressed in this version. Users are strongly encouraged to update to V8.3 or the latest available version immediately.
### Workarounds
- **Network Segmentation:** Isolate the SCADA network from the business network and the internet.
- **Access Control:** Utilize VPNs for remote access and implement strict firewall rules to allow traffic only on necessary ports (e.g., TCP 1234).
- **Least Privilege:** Ensure the WebAccess software is running with the minimum necessary OS privileges.
## Detection
- **Indicators of Compromise:** Monitor for unusual `.dll` files in WebAccess directories, unexpected system reboots, or unauthorized file deletions in the `C:\WebAccess\Node` directory.
- **Detection methods:** Use IDS/IPS signatures specific to Advantech WebAccess RPC interfaces. Audit web server logs for directory traversal patterns (e.g., `../..`).
## References
- **Vendor Advisory:** hxxps[://]www[.]advantech[.]com/industrial-automation/webaccess
- **CISA Advisory:** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-18-081-01
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2018/05/17/multiple-vulnerabilities-closed-in-advantech-webaccess/