Today the CISA NCCIC-ICS published a control system security
advisory for products from Advantech.
Advantech Advisory
This advisory describes
eight vulnerabilities in the Advantech WebAccess Node. The vulnerabilities were
reported by Natnael Samson and Z0mb1E via the Zero Day Initiative. Advantech
has new versions that mitigate the vulnerability. There is no indication that
the researchers have been provided an opportunity to verify the efficacy of the
fix.
The eight reported vulnerabilities:
• Improper validation of array
index - CVE-2020-12022,
• Relative path traversal - CVE-2020-12010,
CVE-2020-12006,
• SQL injection - CVE-2020-12014,
• Stack-based buffer overflow - CVE-2020-12002,
• Heap-based buffer overflow - CVE-2020-10638,
and
• Out-of-bounds read - CVE-2020-12018
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow information disclosure,
remote code execution, and compromise system availability.
Posts
No comments:
Post a Comment