Thursday, May 7, 2020

1 Advisory Published – 5-7-20

Today the CISA NCCIC-ICS published a control system security advisory for products from Advantech.

Advantech Advisory

This advisory describes eight vulnerabilities in the Advantech WebAccess Node. The vulnerabilities were reported by Natnael Samson and Z0mb1E via the Zero Day Initiative. Advantech has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The eight reported vulnerabilities:

• Improper validation of array index - CVE-2020-12022,
• Relative path traversal - CVE-2020-12010, CVE-2020-12006,
• SQL injection - CVE-2020-12014,
• Stack-based buffer overflow - CVE-2020-12002,
• Heap-based buffer overflow - CVE-2020-10638, and
• Out-of-bounds read - CVE-2020-12018

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow information disclosure, remote code execution, and compromise system availability.

No comments:

/* Use this with templates/template-twocol.html */