Researchers at Core Security have disclosed multiple vulnerabilities affecting products from Advantech Corp., which provides industrial automation and embedded solutions.
The vulnerabilities exist in the following products: Advantech EKI-6340 V2.05, Advantech Web Access 7.2 and Advantech AdamView V4.3.
“The AdamView and WebAccess vulnerabilities are “client-side” attacks, therefore some kind of social engineering is required,” explained Joaquín Rodríguez Varela, senior researcher at Core Security. “The victim would need to execute a file or visit a malicious site before the vulnerability could be exploited. In the case of EKI-6340, if the device is remotely accessible, then the vulnerability is very easy to exploit.”
Advantech did not respond to a SecurityWeek request for comment before publication. According to Core Security, the Advantech EKI-6340 series are wireless mesh access points for outdoor deployment.
According to Core Security, the EKI-6340 series is vulnerable to an OS command injection attack that can be exploited by remote attackers to execute arbitrary code and commands using non-privileged user against a vulnerable CGI file.
Core Security also warned that Advantech’s WebAccess product – a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) – is vulnerable to a stack-based buffer overflow attack that can be exploited by remote attackers to execute arbitrary code via a malicious html file with specific parameters for an ActiveX component.
The final advisory on AdamView explains that the product has two different fields vulnerable to buffer overflow attacks. The vulnerability is caused by a stack buffer overflow when parsing the display properties parameter. If successfully exploited, an attacker could trigger execution of arbitrary code within the context of the application or crash the application entirely.
The issues in EKI-6340 and AdamView are not going to be patched, according to Core Security. In the case of EKI-6340, that is because the vendor plans to discontinue it early next year, while the Adamview product is no longer supported, the advisories note.
For users of Adamview, Core Security recommends users avoid opening untrusted .gni files and use third-party software such as Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) to help prevent exploitation of affected systems. EKI-6340 users should change the ‘guest’ user password and edit the fshttpd.conf and remove the line ‘guest_allow=/cgi/ping.cgi’. Users should also check to make sure the ‘admin’ user doesn’t have the default password as well.
As far as the WebAccess vulnerability, the company recommends anyone affected use third-party software that could help prevent exploitation of affected systems.
“Additionally the vendor released WebAccess v8 where it has deleted the vulnerable file ‘webeye.ocx’ but if version upgrade is being performed, the vulnerable ocx file is not deleted at all, therefore we do not consider this a correct fix,” the advisory states.
Varela said Core Security is not aware of any attacks exploiting the issues.
“It should be fine to follow standard operating procedures here and apply these updates during scheduled downtime or maintenance,” he said. “Of course, events may dictate higher or lower priority – every network is different.”