This morning the DHS ICS-CERT followed up yesterday’s publication of two alerts for Advantech products with an advisory that I described yesterday for a stack-based buffer overflow vulnerability in the WebAccess product.
ICS-CERT reports that a relatively unskilled attacker could exploit this vulnerability to execute arbitrary code or crash the system. ICS-CERT reports that there is no publicly available exploit for this vulnerability, but Core Security has clearly printed proof of concept code in their advisory [7:49 CST 11-23-14 Corrected link to go to Core Security site not ICS-CERT] for this vulnerability.
As I mentioned yesterday, ICS-CERT acknowledges that the latest version of WebAccess does not contain this vulnerability, but that updating to that version does not specifically remove the vulnerable file from the system. The owner/operator has to take specific action to remove that file that is not covered in the Advantech documentation, but has been identified by Core Security.