Advantech has published a new version of its WebAccess product to address vulnerabilities that put installations at risk to remote code execution attacks. Exploiting the vulnerabilities would be a challenge, however, according to an advisory published Tuesday by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
ICS-CERT said the flaws patched in versions prior to 8.1_20160519 would require an attacker to entice the victim to accept a crafted DLL and load it, decreasing the chances the bugs could be exploited. “These vulnerabilities are not exploitable remotely and cannot be exploited without user interaction,” ICS-CERT said in its advisory. “The exploit is only triggered when a local user runs the vulnerable application, which in certain scenarios can cause it to load a DLL file from an untrusted source.” Advantech WebAccess is the vendor’s web-based HMI, or human-machine interface, product. It’s used in a number of commercial and critical industries, including energy and government agencies, and provides critical infrastructure managers with a visualization of working processes. The flaw was privately disclosed by researcher Zhou Yu of Acorn Network Security, and ICS-CERT said it is not aware of any public attacks against the flaws. Yu disclosed two flaws to the vendor. The first, CVE-2016-4525, involves an error with the use of a number of ActiveX controls that were intended for restricted use, but were instead marked as “safe-for-scripting.” The second, CVE-2016-4528, is a buffer overflow vulnerability in the product that can be exploited via a specially crafted DLL. ‘The vulnerabilities could allow an attacker who successfully exploits them to insert and run arbitrary code on an affected system,” ICS-CERT said. There was a similar buffer overflow issue in WebAccess two years ago. Earlier this year, researchers at Rapid7 disclosed a potential backdoor in Advantech EKI serial device drivers. The flaw lay in the Dropbear SSH daemon in the server and its failure to enforce authentication. Any user could bypass authentication in the Dropbear SSH client if they had a public key and a password. This disclosure came on the heels two months after hard-coded SSH keys were found in its EKI switches. Advantech deployed new firmware for its EKI-122x series of products that disables HTTPS and SSH.