This afternoon the DHS ICS-CERT published an alert for a
directory traversal vulnerability in the Advantech Studio Web server. The
vulnerability, with proof of concept code, was reported by Nin3 in an
uncoordinated disclosure (it’s been a while since we’ve seen one of these).
Exploitation of this vulnerability could result in ‘data
leakage’. The alert doesn’t provide any details on what types of data might be leak
able, but from a security perspective the data of concern would be credential
information. The readability of that data would have a major impact on the
seriousness of this vulnerability. Of course the business folks might be just
as concerned about the exfiltration of process data.
Actually an Indusoft Vulnerability?
Interestingly ICS-CERT notes that:
“ICS-CERT has shared this report
with Advantech. Advantech has phased out the Advantech Studio product. As this
is a rebranded Indusoft Web Studio product, full support and upgrades are
available through Indusoft Web Studio.” (pg 1)
Why, then, does ICS-CERT refer to this as an Advantech Alert
instead of an Indusoft Alert, one doesn’t really know. My guess is that if Nin3
named this as an Advantech issue, then ICS-CERT is just going along with that
initial identification while it is working with both organizations to resolve
the vulnerability.
Posts
2 comments:
The reason is because this was sold for years under the Advantech name. It's sort of like the situation with TI Industrial Automation when they were bought out by Siemens.
Customers referred to it for years as the TI 505 platform.
Thanks for the clarificatin Jake. Is it sold under anyother names?
Post a Comment