DHS ICS-CERT Advantech Studio Test Web Server Advisory

This afternoon the DHS Industrial Control System Cyber Emergency Response Team  (ICS-CERT) published an advisory covering a confirmed buffer overflow vulnerability in the test web server bundled with Advantech Studio Version 6.1. According to the advisory the “Advantech Studio is a collection of automation tools that includes components required to develop Human-Machine Interfaces (HMIs), and Supervisory Control and Data Acquisition System (SCADA) applications that run on various Windows platforms”.

While Advantech does not intend for the test web server to be used for anything other than testing, if it were used in a production environment it would be vulnerable to a stack-based buffer overflow that could allow an attacker with intermediate skill levels to execute arbitrary code. There is no known exploit publicly available for this vulnerability.

DHS ICS-CERT recommends, with the standard impact analysis and risk assessment caveat, the following mitigation measures:

• Upgrade to the latest version and install the patch. The patch can be applied to Advantech Studio Version 6.1 and any earlier version. Users can get more information and download the patch at: http://www.advantechdirect.com/emarketingprograms/AStudio_Patch/AStudio_Patch.htm
• Minimize network exposure for all control system devices. Control system devices should not directly face the Internet. 1
• Control system networks and devices should be located behind firewalls, and be isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be utilized.