Wednesday, November 19, 2014

ICS-CERT Publishes Alerts for 2 of 3 Reported Advantech Vulnerabilities

Today the DHS ICS-CERT published alerts for two different Advantech products; EKI-6340 and AdamView. Adam Greenberg at reports that there is the same researchers also reported a vulnerability in WebView.

EKI-6340 Alert

This alert addresses a command injection vulnerability that was discovered by Facundo Pantaleo and Flavio Cangini of Core Security Engineering Team. The disclosure was coordinated thru ICS-CERT but when Advantech announced that they would not be fixing the vulnerability since the product would be discontinued next year, Core Security published the vulnerability on their web site.

The Core Security notice also includes suggested fixes for the vulnerability. Too bad Core Security can’t charge for Advantech’s laziness (considering the ease of the fix that could have been announced by Advantech).

AdamView Alert

This alert addresses a buffer overflow vulnerability that was discovered by Daniel Kazimirow and Fernando Paez from Core Security Engineering Team. The disclosure was coordinated thru ICS-CERT but Advantech has not supported this product “for a while” and will not fix the vulnerability. Unfortunately, outdated products do not usually get fixed.

Core Security notes that since this is a client-side vulnerability there are only limited fixes that can applied to mitigate this vulnerability.

WebView Vulnerability

The Core Security Team also reported a stack-based buffer overflow vulnerability in the Advantech WebView application. I suspect that ICS-CERT has not issued an advisory on this vulnerability since they may be working to get Advantech to fix the fix found in version 8.0 that Core Security says does not correct the vulnerability when applied to existing systems.

It seems that the vulnerable file "webeye.ocx" (version is not in the newest version, but when a system with an earlier version is upgraded the existing webeye.ocx is not removed from the system, so the vulnerability remains.

Not So Coordinated Disclosure

Now I fully understand (and support) the Core Security Team publication of the first two vulnerabilities since the vendor told ICS-CERT that they would not be issuing a fix. That makes the vulnerability fair game for publication in my opinion, especially when Core Security stepped up and suggested mitigation measures.

The question on the third is a tad bit more vague. Core Security reports that they notified ICS-
CERT on October 1st about the vulnerability (actually all three vulnerabilities) and then advised ICS-CERT that the fix Advantech reported did not actual fix existing system vulnerabilities on October 21st. Their advisory reports that ICS-CERT notified them about why it did not work on October 27th, but do not indicate that Advantech refused to revise the fix.

I would hope that ICS-CERT was working with Advantech to get them to revise the Version 8.0 fix so that it did remove and/or modify the exiting file. Lacking a specific notice that Advantech refused to fix the fix I think that a responsible researcher (in my definition) would give ICS-CERT a little more than just 23 days to get a recalcitrant vendor to see the error of their ways. But, that is just my opinion.

No comments:

/* Use this with templates/template-twocol.html */