ICS/OT

Code Execution, DoS Flaws Patched in Advantech WebAccess

Several serious vulnerabilities have been patched by Taiwan-based industrial automation company Advantech in its WebAccess SCADA software.

Published

<p><strong><span><span>Several serious vulnerabilities have been patched by Taiwan-based industrial automation company Advantech in its WebAccess SCADA software.</span></span></strong></p>

Several serious vulnerabilities have been patched by Taiwan-based industrial automation company Advantech in its WebAccess SCADA software.

Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. The product has been used mainly in the United States, Europe and East Asia, in sectors such as critical manufacturing, energy, and water and wastewater.

According to an advisory published this week by ICS-CERT, researchers discovered that WebAccess is affected by three types of vulnerabilities, including two remote code execution flaws rated “critical” and one denial-of-service (DoS) bug classified as “high severity.”

Learn More About ICS Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

The security holes were reported by researchers to Advantech through Trend Micro’s Zero Day Initiative (ZDI). The company has published two dozen advisories describing each variation of the three vulnerabilities.

According to ZDI, the code execution flaws, tracked as CVE-2019-6552 and CVE-2019-6550, can be exploited by an unauthenticated attacker to execute arbitrary code with administrator privileges. The vulnerabilities exist in different executable files, but they all appear to be related to the same resource in the webvrpcs process.

“The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer,” ZDI’s advisories explain.

As for the DoS flaw, identified as CVE-2019-6554, it affects a file named UninstallWA.exe and the same webvrpcs process. An unauthenticated attacker can exploit the weakness to uninstall the application and create a DoS condition on the system.

Advertisement. Scroll to continue reading.

The vulnerabilities were reported to Advantech in January and ICS-CERT says they were patched with the release of version 8.4.0 of WebAccess.

Related: Critical Code Execution Flaws Patched in Advantech WebAccess

Related: Several Vulnerabilities Patched in Advantech WebAccess

Related: Advantech WebAccess Flaws Allow Access to Sensitive Data

Related: Advantech Failed to Patch Serious Flaws in SCADA Product

In this article:

Related Content

Cloud SCADA

ICS/OT

UK Government Releases Cloud SCADA Security Guidance

UK’s NCSC releases security guidance for OT organizations considering migrating their SCADA solutions to the cloud.

March 18, 2024

ICS/OT

Cyber Insights 2024: OT, ICS and IIoT

In an age of increasing geopolitical tensions caused by actual wars, and the threat of Chinese action against Taiwan, OT is a target that...

March 6, 2024

ICS/OT

Podcast: Palo Alto Networks Talks IT/OT Convergence

SecurityWeek interviews Del Rodillas, Senior Director of Product Management at Palo Alto Networks, about the integration of IT and OT in the ICS threat landscape.

January 31, 2024

ICS/OT

Unpatched Rapid SCADA Vulnerabilities Expose Industrial Organizations to Attacks

Seven vulnerabilities found in Rapid SCADA could be exploited to gain access to sensitive industrial systems, but they remain unpatched.

January 18, 2024

ICS/OT

Breaches by Iran-Affiliated Hackers Spanned Multiple U.S. States, Federal Agencies Say

The Municipal Water Authority of Aliquippa was just one of multiple organizations breached in the U.S. by Iran-linked "Cyber Av3ngers" hackers

December 2, 2023

ICS/OT

Congressmen Ask DOJ to Investigate Water Utility Hack, Warning It Could Happen Anywhere

Members of Congress asked the U.S. Justice Department to investigate how foreign hackers breached a water authority near Pittsburgh, prompting CISA to warn other...

December 1, 2023

ICS/OT

Critical Infrastructure Stakeholders Gather for Day 2 of SecurityWeek’s 2023 ICS Cybersecurity Conference

SecurityWeek’s 2023 ICS Cybersecurity Conference continues in Atlanta, as hundreds of industrial cybersecurity stakeholders gather for Day 2 of the annual industrial cybersecurity conference.

October 25, 2023

ICS/OT

Watch Now: Exposing Common Myths of OT Cybersecurity

Join SecurityWeek and TXOne Networks for this webinar as we expose common misconceptions surrounding the security of Operational Technology (OT) and dive into the...

July 27, 2023

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version