This afternoon the DHS ICS-CERT published an
advisory for the Advantech WebAccess application. The Advisory covers 15
vulnerabilities identified by a number of different researchers, including Ivan
Sanchez. I think this sets an ICS-CERT record for the number of vulnerabilities
is a single advisory. Advantech has produced a new version that mitigates the
vulnerabilities and Sanchez has tested it to verify the efficacy of the fix for
the unidentified vulnerabilities that he reported.
The vulnerabilities [corrected word 10:20 CST, 1-16-16] include:
• Access of memory location after
end of buffer - CVE-2016-0851;
• Unrestricted upload of file with
dangerous type - CVE-2016-0854;
• Path traversal - CVE-2016-0855;
• Stack-based buffer overflow - CVE-2016-0856;
• Heap-based buffer overflow - CVE-2016-0857;
• Race condition - CVE-2016-0858;
• Integer overflow to buffer
overflow - CVE-2016-0859;
• Improper restriction of
operations within bounds of a memory buffer - CVE-2016-0860;
• Improper access control - CVE-2016-0852;
• Improper input validation - CVE-2016-0853;
• Cross-site scripting - CVE-2016-0848;
• SQL injection - CVE-2016-0847;
• Cross-site request forgery - CVE-2016-0846;
• External control of file name or
path - CVE-2016-0867;
and
• Clear text storage of sensitive information - CVE-2016-08443;
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities.
There is nothing in the Advantech press
release for this new version or the release
notes that indicates that any security issues (much less 15 of them) exist
and have been resolved. The description of some of the ‘resolved problems’ can
be traced back to some of the vulnerabilities listed above by someone versed in
cybersecurity vulnerabilities, but there is nothing in the Advantech literature
that would indicate that there was any security need to switch to the new
version
Posts
No comments:
Post a Comment