{"zdi": [{"lastseen": "2016-11-09T00:18:12", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x11367 IOCTL in the BwpAlarm subsystem. A heap-based buffer overflow vulnerability exists in a call to strcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "reporter": "Anonymous", "published": "2016-02-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Advantech WebAccess webvrpcs Service BwpAlarm.dll strcpy Heap-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2016-0857"], "modified": "2016-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-068", "id": "ZDI-16-068", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:52", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x11367 IOCTL in the BwpAlarm subsystem. A heap-based buffer overflow vulnerability exists in a call to strcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "reporter": "Anonymous", "published": "2016-02-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Advantech WebAccess webvrpcs Service BwpAlarm.dll strcpy Heap-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2016-0857"], "modified": "2016-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-064", "id": "ZDI-16-064", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:53", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x11367 IOCTL in the BwpAlarm subsystem. A heap-based buffer overflow vulnerability exists in a call to strcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "reporter": "Anonymous", "published": "2016-02-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Advantech WebAccess webvrpcs Service BwpAlarm.dll strcpy Heap-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2016-0857"], "modified": "2016-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-066", "id": "ZDI-16-066", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:16", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x7920 IOCTL in the Kernel subsystem. A heap-based buffer overflow vulnerability exists in a call to strcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "reporter": "Anonymous", "published": "2016-02-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Advantech WebAccess datacore Service datacore.exe strcpy Heap-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2016-0857"], "modified": "2016-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-107", "id": "ZDI-16-107", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:17:56", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x11367 IOCTL in the BwpAlarm subsystem. A heap-based buffer overflow vulnerability exists in a call to strcpy. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "reporter": "Anonymous", "published": "2016-02-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Advantech WebAccess webvrpcs Service BwpAlarm.dll strcpy Heap-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2016-0857"], "modified": "2016-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-065", "id": "ZDI-16-065", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:05", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x5228 IOCTL in the Kernel subsystem. A heap-based buffer overflow vulnerability exists in a call to strcpy with the AlarmMessage parameter. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "reporter": "Anonymous", "published": "2016-02-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Advantech WebAccess datacore Service datacore.exe AlarmMessage strcpy Heap-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2016-0857"], "modified": "2016-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-121", "id": "ZDI-16-121", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:04", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x5228 IOCTL in the Kernel subsystem. A heap-based buffer overflow vulnerability exists in a call to strcpy with the AlarmMessage parameter. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "reporter": "Anonymous", "published": "2016-02-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdi", "title": "Advantech WebAccess datacore Service datacore.exe AlarmMessage strcpy Heap-Based Buffer Overflow Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvelist": ["CVE-2016-0857"], "modified": "2016-11-09T00:00:00", "id": "ZDI-16-119", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-119", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:18:11", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable instances of Advantech WebAccess. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the 0x11367 IOCTL in the BwpAlarm subsystem. A heap-based buffer overflow vulnerability exists in a call to strcpy using the Backup RPC Hostname parameter. An attacker can use this vulnerability to execute arbitrary code in the context of an administrator of the system.", "reporter": "Anonymous", "published": "2016-02-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Advantech WebAccess webvrpcs Service BwpAlarm.dll Backup RPC Hostname strcpy Heap-Based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2016-0857"], "modified": "2016-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-16-067", "id": "ZDI-16-067", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ics": [{"lastseen": "2018-08-31T01:37:46", "references": ["http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3946", "http://cwe.mitre.org/data/definitions/79.html", "http://ics-cert.us-cert.gov/content/recommended-practices", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0851", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0860", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0855", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "http://cwe.mitre.org/data/definitions/352.html", "http://cwe.mitre.org/data/definitions/680.html", "http://cwe.mitre.org/data/definitions/22.html", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "http://www.us-cert.gov/pdf/", "http://www.us-cert.gov/accessibility/", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0858", "https://ics-cert.us-cert.gov/Report-Incident?", "http://www.advantech.com/industrial-automation/webaccess", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3948", "http://cwe.mitre.org/data/definitions/312.html", "http://cwe.mitre.org/data/definitions/122.html", "https://www.us-cert.gov/forms/feedback?helpful=somewhat&document=ICSA-16-014-01 Advantech WebAccess Vulnerabilities&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01&site_name=ICS-CERT", "https://www.us-cert.gov/forms/feedback?helpful=no&document=ICSA-16-014-01 Advantech WebAccess Vulnerabilities&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01&site_name=ICS-CERT", "https://www.facebook.com/sharer.php?u=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-16-014-01", "http://cwe.mitre.org/data/definitions/73.html", "http://www.us-cert.gov/tlp/", "http://www.us-cert.gov/tlp/", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R", "http://ics-cert.us-cert.gov", "http://ics-cert.us-cert.gov", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0852", "http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B", "https://www.us-cert.gov/forms/feedback?helpful=yes&document=ICSA-16-014-01 Advantech WebAccess Vulnerabilities&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01&site_name=ICS-CERT", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0854", "http://twitter.com/icscert", "http://twitter.com/icscert", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0853", "http://ics-cert.us-cert.gov/", "http://cwe.mitre.org/data/definitions/434.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3943", "http://cwe.mitre.org/data/definitions/89.html", "http://cwe.mitre.org/data/definitions/119.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0856", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0859", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3947", "http://cwe.mitre.org/data/definitions/20.html", "http://www.us-cert.gov/privacy/", "http://cwe.mitre.org/data/definitions/362.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0857", "http://cwe.mitre.org/data/definitions/284.html", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:R", "https://twitter.com/share?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-16-014-01", "http://www.dhs.gov", "http://www.dhs.gov/report-cyber-risks", "http://www.addthis.com/bookmark.php?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-16-014-01", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6467", "http://cwe.mitre.org/data/definitions/788.html", "http://cwe.mitre.org/data/definitions/121.html"], "description": "## OVERVIEW\n\nIlya Karpov of Positive Technologies, Ivan Sanchez, Andrea Micalizzi, Ariele Caltabiano, Fritz Sands, Steven Seeley, and an anonymous researcher have identified multiple vulnerabilities in Advantech WebAccess application. Many of these vulnerabilities were reported through the Zero Day Initiative (ZDI) and iDefense. Advantech has produced a new version to mitigate these vulnerabilities. Ivan Sanchez has tested the new version to validate that it resolves the vulnerabilities which he reported.\n\nThese vulnerabilities could be exploited remotely.\n\n## AFFECTED PRODUCTS\n\nAdvantech reports that the vulnerabilities affect the following versions of WebAccess:\n\n * WebAccess Version 8.0 and prior versions.\n\n## IMPACT\n\nAn attacker who exploits these vulnerabilities may be able to upload, create, or delete arbitrary files on the target system, deny access to valid users, or remotely execute arbitrary code.\n\nImpact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nAdvantech is based in Taiwan and has distribution offices in 21 countries worldwide.\n\nThe affected product, WebAccess, formerly known as BroadWin WebAccess, is a web-based SCADA and human-machine interface (HMI) product. According to Advantech, WebAccess is deployed across several sectors including Commercial Facilities, Critical Manufacturing, Energy, and Government Facilities. Advantech estimates that these products are used globally.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### ACCESS OF MEMORY LOCATION AFTER END OF BUFFERa\n\nThe software reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.\n\nCVE-2016-0851b has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).c\n\n### UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPEd\n\nAn attacker can upload or create arbitrary files on the server without authentication or constraint.\n\nCVE-2016-0854e has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).f\n\n### PATH TRAVERSALg\n\nThe virtual directory created by WebAccess can be browsed anonymously without authentication.\n\nCVE-2016-0855h has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).i\n\n### STACK-BASED BUFFER OVERFLOWj\n\nThere are many instances where the buffer on the stack can be overwritten.\n\nCVE-2016-0856k has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).l\n\n### HEAP-BASED BUFFER OVERFLOWm\n\nThere are many conditions in which more space than what is allocated can be written to the heap.\n\nCVE-2016-0857n has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).o\n\n### RACE CONDITIONp\n\nA specially crafted request can cause a buffer overflow in a shared virtual memory area.\n\nCVE-2016-0858q has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).r\n\n### INTEGER OVERFLOW TO BUFFER OVERFLOWs\n\nAn attacker can send a crafted RPC request to the Kernel service to cause a stack-based buffer overflow.\n\nCVE-2016-0859t has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).u\n\n### IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFERv\n\nAn attacker can send a crafted RPC request to the BwpAlarm subsystem to cause a buffer overflow on global variables.\n\nCVE-2016-0860w has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).x\n\n### IMPROPER ACCESS CONTROLy\n\nNormal and remote users have access to files and folders that only administrators should be allowed to access.\n\nCVE-2016-0852z has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).aa\n\n### IMPROPER INPUT VALIDATIONbb\n\nInput validation vulnerabilities could allow an attacker to gain sensitive information from the target system.\n\nCVE-2016-0853cc has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).dd\n\n### CROSS-SITE SCRIPTINGee\n\nThe web server does not filter user input correctly, allowing a malicious user to initiate a cross-site scripting vulnerability.\n\nCVE-2015-3948ff has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R).gg\n\n### SQL INJECTIONhh\n\nWeb server settings, accounts, and projects may be modified through scripted commands.\n\nCVE-2015-3947ii has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R).jj\n\n### CROSS-SITE REQUEST FORGERYkk\n\nThe web server accepts commands via specific scripts that imitate trusted accounts.\n\nCVE-2015-3946ll has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R).mm\n\n### EXTERNAL CONTROL OF FILE NAME OR PATHnn\n\nWebAccess can be made to run remote code through the use of a browser plug-in.\n\nCVE-2015-6467oo has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:R).pp\n\n### CLEARTEXT STORAGE OF SENSITIVE INFORMATIONqq\n\nEmail project accounts are stored in clear text.\n\nCVE-2015-3943rr has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R).ss\n\n## VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThese vulnerabilities could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nNo known public exploits specifically target these vulnerabilities.\n\n#### DIFFICULTY\n\nAn attacker with a low skill would be able to exploit these vulnerabilities.\n\n## MITIGATION\n\nAdvantech has released a new version of WebAccess, Version 8.1, to address the reported vulnerabilities. This new version is available on the Advantech website at the following location:\n\n<http://www.advantech.com/industrial-automation/webaccess>\n\nICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet\n * Locate control system networks and remote devices behind firewalls and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at<http://ics-cert.us-cert.gov/content/recommended-practices>. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B>), that is available for download from the ICS-CERT web site (<http://ics-cert.us-cert.gov/>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n * a. CWE-788: Access of Memory Location After End of Buffer, <http://cwe.mitre.org/data/definitions/788.html>, web site last accessed January 14, 2016.\n * b. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0851>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * c. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>), web site last accessed January 14, 2016.\n * d. CWE-434: Unrestricted Upload of File with Dangerous Type, <http://cwe.mitre.org/data/definitions/434.html>, web site last accessed January 14, 2016.\n * e. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0854>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * f. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>), web site last accessed January 14, 2016.\n * g. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), <http://cwe.mitre.org/data/definitions/22.html>, web site last accessed January 14, 2016.\n * h. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0855>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * i. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>), web site last accessed January 14, 2016.\n * j. CWE-121: Stack-based Buffer Overflow, <http://cwe.mitre.org/data/definitions/121.html>, web site last accessed January 14, 2016.\n * k. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0856>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * l. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>), web site last accessed January 14, 2016.\n * m. CWE-122: Heap-based Buffer Overflow, <http://cwe.mitre.org/data/definitions/122.html>, web site last accessed January 14, 2016.\n * n. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0857>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * o. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>), web site last accessed January 14, 2016.\n * p. CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'), <http://cwe.mitre.org/data/definitions/362.html>, web site last accessed January 14, 2016.\n * q. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0858>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * r. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>), web site last accessed January 14, 2016.\n * s. CWE-680: Integer Overflow to Buffer Overflow, <http://cwe.mitre.org/data/definitions/680.html>, web site last accessed January 14, 2016.\n * t. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0859>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * u. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>), web site last accessed January 14, 2016.\n * v. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer, <http://cwe.mitre.org/data/definitions/119.html>, web site last accessed January 14, 2016.\n * w. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0860>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * x. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>), web site last accessed January 14, 2016.\n * y. CWE-284: Improper Access Control, <http://cwe.mitre.org/data/definitions/284.html>, web site last accessed January 14, 2016.\n * z. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0852>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * aa. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>) , web site last accessed January 14, 2016.\n * bb. CWE-20: Improper Input Validation, <http://cwe.mitre.org/data/definitions/20.html>, web site last accessed January 14, 2016.\n * cc. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0853>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * dd. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N>), web site last accessed January 14, 2016.\n * ee. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), <http://cwe.mitre.org/data/definitions/79.html>, web site last accessed January 14, 2016.\n * ff. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3948> , NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * gg. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R>), web site last accessed January 14, 2016.\n * hh. CWE-89: SQL Injection, <http://cwe.mitre.org/data/definitions/89.html>, web site last accessed January 14, 2016.\n * ii. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3947>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * jj. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R>), web site last accessed January 14, 2016.\n * kk. CWE-352: Cross-Site Request Forgery, <http://cwe.mitre.org/data/definitions/352.html>, web site last accessed January 14, 2016.\n * ll. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3946>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * mm. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:R>), web site last accessed January 14, 2016.\n * nn. CWE-73: External Control of File Name or Path, <http://cwe.mitre.org/data/definitions/73.html>, web site last accessed January 14, 2016.\n * oo. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6467> , NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * pp. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:R>), web site last accessed January 14, 2016.\n * qq. CWE-312: Cleartext Storage of Sensitive Information, <http://cwe.mitre.org/data/definitions/312.html>, web site last accessed January 14, 2016.\n * rr. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3943>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * ss. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:R>), web site last accessed January 14, 2016.\n", "edition": 6, "reporter": "Industrial Control Systems Cyber Emergency Response Team", "published": "2016-01-14T00:00:00", "title": "Advantech WebAccess Vulnerabilities", "type": "ics", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2015-3943", "CVE-2016-0858", "CVE-2015-3947", "CVE-2016-0855", "CVE-2016-0860", "CVE-2015-6467", "CVE-2015-3946", "CVE-2016-0856", "CVE-2016-0853", "CVE-2016-0857", "CVE-2016-0852", "CVE-2016-0851", "CVE-2015-3948", "CVE-2016-0854", "CVE-2016-0859"], "modified": "2018-08-23T00:00:00", "id": "ICSA-16-014-01", "href": "https://ics-cert.us-cert.gov//advisories/ICSA-16-014-01", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-11-13T12:48:52", "references": ["http://www.advantech.com/industrial-automation/webaccess", "https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01"], "pluginID": "1361412562310807033", "description": "This host is running Advantech WebAccess\n and is prone to multiple vulnerabilities.", "edition": 5, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-01-22T00:00:00", "title": "Advantech WebAccess Multiple Vulnerabilities Jan16", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3943", "CVE-2016-0858", "CVE-2015-3947", "CVE-2016-0855", "CVE-2016-0860", "CVE-2015-6467", "CVE-2015-3946", "CVE-2016-0856", "CVE-2016-0853", "CVE-2016-0857", "CVE-2016-0852", "CVE-2016-0851", "CVE-2015-3948", "CVE-2016-0854", "CVE-2016-0859"], "modified": "2018-11-12T00:00:00", "id": "OPENVAS:1361412562310807033", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807033", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_advantech_webaccess_mult_vuln.nasl 12313 2018-11-12 08:53:51Z asteins $\n#\n# Advantech WebAccess Multiple Vulnerabilities Jan16\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\nCPE = \"cpe:/a:advantech:advantech_webaccess\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807033\");\n script_version(\"$Revision: 12313 $\");\n script_cve_id(\"CVE-2015-3948\", \"CVE-2015-3943\", \"CVE-2015-3946\", \"CVE-2015-3947\",\n \"CVE-2015-6467\", \"CVE-2016-0851\", \"CVE-2016-0852\", \"CVE-2016-0853\",\n \"CVE-2016-0854\", \"CVE-2016-0855\", \"CVE-2016-0856\", \"CVE-2016-0857\",\n \"CVE-2016-0858\", \"CVE-2016-0859\", \"CVE-2016-0860\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-12 09:53:51 +0100 (Mon, 12 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-22 10:47:51 +0530 (Fri, 22 Jan 2016)\");\n script_name(\"Advantech WebAccess Multiple Vulnerabilities Jan16\");\n\n script_tag(name:\"summary\", value:\"This host is running Advantech WebAccess\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to:\n\n - The web server does not filter user input correctly.\n\n - Email project accounts are stored in clear text.\n\n - The web server accepts commands via specific scripts that imitate trusted\n accounts.\n\n - The Web server settings, accounts, and projects may be modified through\n scripted commands.\n\n - WebAccess can be made to run remote code through the use of a browser\n plug-in.\n\n - The software reads or writes to a buffer using an index or pointer that\n references a memory location after the end of the buffer.\n\n - Normal and remote users have access to files and folders that only\n administrators should be allowed to access.\n\n - Unrestricted file upload vulnerability.\n\n - Insufficient sanitization of filenames containing directory traversal\n sequences.\n\n - Multiple stack-based buffer overflows.\n\n - Multiple heap-based buffer overflows.\n\n - Integer overflow in the Kernel service.\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allow\n remote attacker to upload, create, or delete arbitrary files on the target\n system, deny access to valid users and remotely execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Advantech WebAccess versions before 8.1\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Advantech WebAccess version\n 8.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_xref(name:\"URL\", value:\"https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_advantech_webaccess_detect.nasl\");\n script_mandatory_keys(\"Advantech/WebAccess/installed\");\n script_require_ports(\"Services/www\", 80);\n script_xref(name:\"URL\", value:\"http://www.advantech.com/industrial-automation/webaccess\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!adPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!adVer = get_app_version(cpe:CPE, port:adPort)){\n exit(0);\n}\n\nif(version_is_less(version:adVer, test_version:\"8.1\"))\n{\n report = 'Installed Version: ' + adVer + '\\n' +\n 'Fixed Version: 8.1\\n';\n\n security_message(data:report, port:adPort);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
