Thursday, September 18, 2014

ICS-CERT Publishes Advantech Advisory

Earlier this evening the DHS ICS-CERT published a new advisory for multiple buffer overflow vulnerabilities in the Advantech WebAccess application. The vulnerabilities were identified by Ricardo Narvaja of Core Security Technologies in a coordinated disclosure. Advantech has provided a patch to resolve the vulnerabilities and Narvaja has verified the efficacy of the fix.

The eight stack buffer overflow vulnerabilities affect the following parameters:

● NodeName, CVE-2014-0985;
● GotoCmd, CVE-2014-0986;
● NodeName2, CVE-2014-0987;
● AccessCode, CVE-2014-0988;
● AccessCode2, CVE-2014-0989;
● UserName, CVE-2014-0990;
● ProjectName, CVE-2014-0991;
● Password, CVE-2014-0992.

Because exploiting these vulnerabilities would require a social engineering attack, ICS-CERT reports that an exploitation of one of these vulnerabilities could be done remotely, but there would be a reduced likelihood of a successful attack.

No comments:

/* Use this with templates/template-twocol.html */