Thursday, January 14, 2016

ICS-CERT Publishes Advantech Advisory

This afternoon the DHS ICS-CERT published an advisory for the Advantech WebAccess application. The Advisory covers 15 vulnerabilities identified by a number of different researchers, including Ivan Sanchez. I think this sets an ICS-CERT record for the number of vulnerabilities is a single advisory. Advantech has produced a new version that mitigates the vulnerabilities and Sanchez has tested it to verify the efficacy of the fix for the unidentified vulnerabilities that he reported.

The vulnerabilities [corrected word 10:20 CST, 1-16-16] include:

• Access of memory location after end of buffer - CVE-2016-0851;
• Unrestricted upload of file with dangerous type - CVE-2016-0854;
• Path traversal - CVE-2016-0855;
• Stack-based buffer overflow - CVE-2016-0856;
• Heap-based buffer overflow - CVE-2016-0857;
• Race condition - CVE-2016-0858;
• Integer overflow to buffer overflow - CVE-2016-0859;
• Improper restriction of operations within bounds of a memory buffer - CVE-2016-0860;
• Improper access control - CVE-2016-0852;
• Improper input validation - CVE-2016-0853;
• Cross-site scripting - CVE-2016-0848;
• SQL injection - CVE-2016-0847;
• Cross-site request forgery - CVE-2016-0846;
• External control of file name or path - CVE-2016-0867; and
• Clear text storage of sensitive information - CVE-2016-08443;

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities.

There is nothing in the Advantech press release for this new version or the release notes that indicates that any security issues (much less 15 of them) exist and have been resolved. The description of some of the ‘resolved problems’ can be traced back to some of the vulnerabilities listed above by someone versed in cybersecurity vulnerabilities, but there is nothing in the Advantech literature that would indicate that there was any security need to switch to the new version

No comments:

/* Use this with templates/template-twocol.html */