Two Advisories Published

Today the DHS NCCIC-ICS published two control system security advisories for products from Advantech and GEOVAP.

Advantech Advisory

This advisory describes two vulnerabilities in the Advantech WebAccess application. The vulnerability was reported by Mat Powell via the Zero Day Initiative. Advantech has a new version (the same version that mitigated Tuesday’s vulnerabilities) that mitigates the vulnerabilities. There is no indication that Powell has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper Access Control - CVE-2018-17908; and

• Stack-based buffer overflow - CVE-2018-17910

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow for arbitrary remote code execution.

NOTE: It is interesting that Matt has two Advantech advisories this week where he is the security researcher. Looking at the CVE numbers it looks like there was at least some delay between the reporting of the two sets of vulnerabilities. Not surprising that Advantech would fix all five vulnerabilities in the same version; finding vulnerabilities almost certainly takes less time than fixing them.

GEOVAP Advisory

This advisory describes a cross-site scripting vulnerability in the GEOVAP Reliance 4 SCADA/HMI. The vulnerability was reported by Ismail Mert AY AK. GEOVAP has a new version that mitigates the vulnerability. There is no indication that Ismail has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker to use HTTP proxy to inject arbitrary Javascript in a specially crafted HTTP request that may reflect it back in the HTTP response.