The ICS-CERT is warning users about a stack buffer overflow in the Advantech WebAccess SCADA product that could lead to arbitrary code execution.
Advantech WebAccess is a SCADA and human-machine interface product that’s accessible over the Web. It’s used in a variety of industries, including energy, manufacturing, government and the commercial sector. The vulnerability affects versions 7.2 and earlier of WebAccess.
The vulnerability is mitigated by the fact that it cannot be triggered remotely. In order to exploit the flaw, an attacker would need local access to the vulnerable application and the ability to load a malformed HTML file.
“This vulnerability is caused by a stack buffer overflow when parsing the ip_address parameter. A malicious third party could trigger execution of arbitrary code within the context of the application or otherwise crash the whole application. This is caused because the application copies strings to the stack without checking length,” the ICS-CERT advisory says.
Advantech has released an updated version of WebAccess, version 8.0, that includes a fix for the buffer overflow vulnerability. Users can download the update from the Advantech site.
The vulnerability was discovered and reported by researchers at Core Security.
“Core Security recommends that if users upgrade to WebAccess 8.0, they must also delete the vulnerable “webeye.ocx” from their system, or uninstall the previous version before installing WebAccess 8.0. It recommends that users avoid opening untrusted .html files,” the ICS-CERT advisory says.