2 Advisories and 1 Update Published – 10-15-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Advantech and updated one advisory for products from Wibu-Systems.

R-SeeNet Advisory

This advisory describes an SQL injection vulnerability in the Advantech  R-SeeNet monitoring application. The vulnerability was reported by rgod via the Zero Day Initiative (ZDI). Advantech has a new version that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reported that a relatively low-skilled attacker could remotely exploit this vulnerability to allow remote attackers to retrieve sensitive information from the R-SeeNet database.

NOTE: NCCIC-ICS provides a link to the Advantech advisory for this vulnerability. This is the first time that I have seen an advisory published by Advantech (actually, Advantech Czech s.r.o.) and they also have a security notifications web page which apparently only covers their cellular routers and gateways. Interestingly, they make Common Vulnerability Reporting Framework (CVRF) v1.1 files on identified vulnerabilities available to their customers.

WebAccess Advisory

This advisory describes an external control of file name or path vulnerability in the Advantech WebAccess/SCADA software package. The vulnerability was reported by Sivathmican Sivakumaran via ZDI. Advantech has newer versions that mitigate the vulnerability. There is no indication that Sivakumaran has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to control or influence a path used in an operation on the filesystem and remotely execute code as an administrator.

NOTE: This vulnerability was not reported on the web site I discussed for the earlier vulnerability, nor was there an Advantech advisory available.

CodeMeter Update

This update provides additional information on an advisory that  was originally published on September 8^th, 2020 and most recently updated on October 1^st, 2020 (the advisory incorrectly refers back to an earlier version from September 17th). The new information includes links to two new vendor advisories from Schneider and WEIDMUELLER.