ICS Advisory (ICSA-19-178-05) Advantech WebAccess/SCADA

From us-cert.gov

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.


1. EXECUTIVE SUMMARY

  • CVSS v3 9.8
  • ATTENTION: Exploitable remotely/low skill level to exploit
  • Vendor: Advantech
  • Equipment: WebAccess/SCADA
  • Vulnerabilities: Path Traversal, Stack-based Buffer Overflow, Heap-based Buffer Overflow, Out-of-bounds Read, Out-of-bounds Write, Untrusted Pointer Dereference

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow information disclosure, deletion of files, and remote code execution.

Read more…