ID ZDI-19-317 Type zdi Reporter Mat Powell of Trend Micro Zero Day Initiative Modified 2019-06-22T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Client. Authentication is not required to exploit this vulnerability. The specific flaw exists within bwwebd.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.
{"id": "ZDI-19-317", "bulletinFamily": "info", "title": "Advantech WebAccess Client bwwebd Stack-based Buffer Overflow Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Client. Authentication is not required to exploit this vulnerability. The specific flaw exists within bwwebd.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.", "published": "2019-04-02T00:00:00", "modified": "2019-06-22T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-317/", "reporter": "Mat Powell of Trend Micro Zero Day Initiative", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-19-091-01"], "cvelist": ["CVE-2019-6550"], "type": "zdi", "lastseen": "2020-06-22T11:40:38", "edition": 1, "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-6550"]}, {"type": "zdi", "idList": ["ZDI-19-323", "ZDI-19-309", "ZDI-19-312", "ZDI-19-310", "ZDI-19-315", "ZDI-19-311", "ZDI-19-322", "ZDI-19-328", "ZDI-19-325", "ZDI-19-321"]}, {"type": "ics", "idList": ["ICSA-19-092-01"]}], "modified": "2020-06-22T11:40:38", "rev": 2}, "score": {"value": 3.7, "vector": "NONE", "modified": "2020-06-22T11:40:38", "rev": 2}, "vulnersScore": 3.7}}
{"cve": [{"lastseen": "2020-12-09T21:41:55", "description": "Advantech WebAccess/SCADA, Versions 8.3.5 and prior. Multiple stack-based buffer overflow vulnerabilities, caused by a lack of proper validation of the length of user-supplied data, may allow remote code execution.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-04-05T19:29:00", "title": "CVE-2019-6550", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-6550"], "modified": "2020-10-06T14:02:00", "cpe": ["cpe:/a:advantech:webaccess:8.3.5"], "id": "CVE-2019-6550", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6550", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:advantech:webaccess:8.3.5:*:*:*:*:*:*:*"]}], "zdi": [{"lastseen": "2020-06-22T11:42:13", "bulletinFamily": "info", "cvelist": ["CVE-2019-6550"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. The specific flaw exists within bwthinfl.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-02T00:00:00", "id": "ZDI-19-321", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-321/", "title": "Advantech WebAccess Node bwthinfl Stack-based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:41:52", "bulletinFamily": "info", "cvelist": ["CVE-2019-6550"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Client. Authentication is not required to exploit this vulnerability. The specific flaw exists within bwsound.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-02T00:00:00", "id": "ZDI-19-323", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-323/", "title": "Advantech WebAccess Client bwsound Stack-based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:41:16", "bulletinFamily": "info", "cvelist": ["CVE-2019-6550"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. The specific flaw exists within bwstwww.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-02T00:00:00", "id": "ZDI-19-311", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-311/", "title": "Advantech WebAccess Node bwstwww Stack-based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:40:36", "bulletinFamily": "info", "cvelist": ["CVE-2019-6550"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. The specific flaw exists within bwmakdir.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-02T00:00:00", "id": "ZDI-19-320", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-320/", "title": "Advantech WebAccess Node bwmakdir Stack-based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:40:26", "bulletinFamily": "info", "cvelist": ["CVE-2019-6550"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. The specific flaw exists within BwOpcImg.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-02T00:00:00", "id": "ZDI-19-327", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-327/", "title": "Advantech WebAccess Node BwOpcImg Stack-based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:39:53", "bulletinFamily": "info", "cvelist": ["CVE-2019-6550"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. The specific flaw exists within BwSyncLg.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-02T00:00:00", "id": "ZDI-19-318", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-318/", "title": "Advantech WebAccess Node BwSyncLg Stack-based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:41:24", "bulletinFamily": "info", "cvelist": ["CVE-2019-6550"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. The specific flaw exists within BwFreRPT.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-02T00:00:00", "id": "ZDI-19-313", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-313/", "title": "Advantech WebAccess Node BwFreRPT Stack-based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:41:43", "bulletinFamily": "info", "cvelist": ["CVE-2019-6550"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Client. Authentication is not required to exploit this vulnerability. The specific flaw exists within bwprtscr.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-02T00:00:00", "id": "ZDI-19-316", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-316/", "title": "Advantech WebAccess Client bwprtscr Stack-based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:42:21", "bulletinFamily": "info", "cvelist": ["CVE-2019-6550"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability. The specific flaw exists within jpegconv.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-02T00:00:00", "id": "ZDI-19-308", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-308/", "title": "Advantech WebAccess Node jpegconv Stack-based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-22T11:40:25", "bulletinFamily": "info", "cvelist": ["CVE-2019-6550"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess Client. Authentication is not required to exploit this vulnerability. The specific flaw exists within a scanf call in upandpr.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.", "edition": 1, "modified": "2019-06-22T00:00:00", "published": "2019-04-02T00:00:00", "id": "ZDI-19-330", "href": "https://www.zerodayinitiative.com/advisories/ZDI-19-330/", "title": "Advantech WebAccess Client upandpr scanf Stack-based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2020-12-18T03:22:25", "bulletinFamily": "info", "cvelist": ["CVE-2019-6554", "CVE-2019-6550", "CVE-2019-6552"], "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n\n * **ATTENTION:** Exploitable remotely/low skill level to exploit\n * **Vendor: **Advantech\n * **Equipment: **WebAccess/SCADA\n * **Vulnerabilities:** Command Injection, Stack-based Buffer Overflow, Improper Access Control\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities may cause a denial of service and allow remote code execution.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of WebAccess/SCADA, a SCADA software platform, are affected:\n\n * WebAccess/SCADA Versions 8.3.5 and prior.\n\n### 3.2 VULNERABILITY OVERVIEW\n\n**3.2.1 [IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND ('COMMAND INJECTION') CWE-77](<https://cwe.mitre.org/data/definitions/77.html>)**\n\nMultiple command injection vulnerabilities, caused by a lack of proper validation of user-supplied data, may allow remote code execution.\n\n[CVE-2019-6552](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6552>) has been assigned to these vulnerabilities. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>))\n\n**3.2.2 [STACK-BASED BUFFER OVERFLOW CWE-121](<https://cwe.mitre.org/data/definitions/121.html>)**\n\nMultiple stack-based buffer overflow vulnerabilities, caused by a lack of proper validation of the length of user-supplied data, may allow remote code execution.\n\n[CVE-2019-6550](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6550>) has been assigned to these vulnerabilities. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n**3.2.3 [IMPROPER ACCESS CONTROL CWE-284](<https://cwe.mitre.org/data/definitions/284.html>)**\n\nAn improper access control vulnerability may allow an attacker to cause a denial-of-service condition.\n\n[CVE-2019-6554](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6554>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>))\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Critical Manufacturing, Energy, Water and Wastewater Systems\n * **COUNTRIES/AREAS DEPLOYED:** East Asia, United States, and Europe\n * **COMPANY HEADQUARTERS LOCATION:** Taiwan\n\n### 3.4 RESEARCHER\n\nMat Powell and Natnael Samson (@NattiSamson) working with Trend Micro\u2019s Zero Day Initiative (ZDI) reported these vulnerabilities to NCCIC.\n\n## 4\\. MITIGATIONS\n\nAdvantech has released Version 8.4.0 of WebAccess/SCADA to address the reported vulnerabilities. Users can download the latest version of WebAccess/SCADA at the following location (registration required):\n\n[https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV&Doc_Source=Download](<https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV&Doc_Source=Download>)\n\nNCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nNCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nNCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ics/advisories/ICSA-19-092-01>); we'd welcome your feedback.\n", "edition": 12, "modified": "2019-04-02T00:00:00", "published": "2019-04-02T00:00:00", "id": "ICSA-19-092-01", "href": "https://www.us-cert.gov//ics/advisories/ICSA-19-092-01", "title": "Advantech WebAccess/SCADA", "type": "ics", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
