This afternoon the DHS ICS-CERT published an alert for a directory traversal vulnerability in the Advantech Studio Web server. The vulnerability, with proof of concept code, was reported by Nin3 in an uncoordinated disclosure (it’s been a while since we’ve seen one of these).
Exploitation of this vulnerability could result in ‘data leakage’. The alert doesn’t provide any details on what types of data might be leak able, but from a security perspective the data of concern would be credential information. The readability of that data would have a major impact on the seriousness of this vulnerability. Of course the business folks might be just as concerned about the exfiltration of process data.
Actually an Indusoft Vulnerability?
Interestingly ICS-CERT notes that:
“ICS-CERT has shared this report with Advantech. Advantech has phased out the Advantech Studio product. As this is a rebranded Indusoft Web Studio product, full support and upgrades are available through Indusoft Web Studio.” (pg 1)
Why, then, does ICS-CERT refer to this as an Advantech Alert instead of an Indusoft Alert, one doesn’t really know. My guess is that if Nin3 named this as an Advantech issue, then ICS-CERT is just going along with that initial identification while it is working with both organizations to resolve the vulnerability.