Thursday, March 26, 2020

1 Advisory Published – 3-26-20

Today the CISA NCCIC-ICS published one control system security advisory for products from Advantech.

Advantech Advisory

This advisory describes a stack-based buffer overflow in the Advantech WebAccess HMI platform. The vulnerability was reported by Peter Cheng of Elex CyberSecurity. Advantech has a new version that mitigates the vulnerability. There is no indication that Cheng was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution.

NOTE: I wonder if this could be the same vulnerability that was reported by Tenable back in December. Different CVE numbers, but that does not mean a lot. Not enough detail in the NCCIC-ICS report to really tell.

No comments:

/* Use this with templates/template-twocol.html */