US Homeland Security Warns Of Dangerous SCADA Flaw

The US DHS Industrial Control Systems CERT (ICS-CERT) has warned organizations using Advantech’s ICS products to install an update that kills a remotely exploitable flaw in its WebAccess software. 

WebAccess is the Taiwanese company’s browser-based SCADA software for monitoring remote field devices. It’s known among security researchers as a type of SCADA Human Machine Interface (HMI) system and has been the focus of security research in part because of its use of Microsoft’s implementation of distributed computing  protocol, Remote Procedure Call (RPC). 

A researcher at Trend Micro discovered multiple vulnerabilities in WebAccess, the worst of which is a stack-based bugger overflow, tracked as CVE-2018-14816, that has a CVSS version 3 score of 9.8 out of a possible 10. Another path traversal flaw that may allow an attacker to execute arbitrary code was given the same score, while others rated 7.5 and 7.8 scores.   

As ICS-CERT notes, WebAccess is used in critical manufacturing, energy, water, and wastewater systems in East Asia, the US, and Europe. 

“Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, access files and perform actions at a privileged level, or delete files on the system,” ICS-CERT warns in its risk assessment. 

Advantech has released version 8.3.3 of WebAccess to fix the remotely exploitable bugs, which ICS-CERT emphasized requires a “low skill level to exploit”. WebAccess Versions 8.3.1 and prior are affected, according to ICS-CERT.  

Advantech’s WebAccess 8.3.3 release is available here where it details security updates for WebAccess on Windows 10, Windows 7, and Windows Server 2012 R2 machines.  

Fortunately, ICS-CERT is not aware of any public exploits targeting these vulnerabilities.

However, the latest fix follows the March release of a public exploit from a Tenable Security researcher Chris Lyne for an unauthenticated remote code execution flaw that worked against WebAccess versions 8.3, despite Advantech’s January release of WebAccess version 8.3 supposedly having addressed CVE-2017–16720, the flaw the exploit utilized. 

Lyne in July discovered his exploit also worked against the subsequently released WebAccess versions 8.3.1 and 8.3.2. 

“According to the WebAccess Support & Download page, 8.3.2 was released on August 17, 2018. It appears there was never a patch for this vulnerability,” Lyne wrote in September. 

He also found dozens of internet-exposed WebAccess instances through the IoT search engine, Shodan.io, which were likely a fraction of all WebAccess installations worldwide. 

WebAccess has become testing ground for researchers looking for bugs in Remote Procedure Call (RPC) protocols, which were developed in the pre-internet era and later implemented in Windows. 

Trend Micro’s Zero Day Initiative (ZDI) revealed in January this year that around 2016 it had paid for a “trove of vulnerability reports” written previously by an anonymous researcher who’d been investigating vulnerabilities in WebAccess RPC interfaces.   

ZDI researcher Fritz Sands explained that WebAccess installation and setup opens ports 4592 and 14592 for TCP traffic, which use RPC protocols to communicate with clients.  

Microsoft’s RPC implementation allows Windows machines to talk with other RPC-enabled systems, such as those that use Open Group’s Distributed Computing Environment (DCE) for RPC.   

“These ports are serviced by processes (webvrpcs.exe and datacore.exe) that run in the context of a local administrator. These ports use Remote Procedure Call (RPC) protocols to communicate with clients, and both of the RPC interfaces can be called from remote unauthenticated clients,” he noted. 

Sands, who was credited with reporting WebAccess bugs that were fixed in May, noted that code in Advantech’s WebAccess version 8.0 software package “contains many exploitable vulnerabilities” and encouraged hackers to use it test newer versions of WebAccess and then explore other products that use RPC services. 

CSO:

You Might Also Read:

US Accuses Russia Of Attacking Energy Infrastructure

« Britain Needs A Cyber Army To Defend Against Prolific Attacks
Lloyds Bank Is Replacing Customer Debit Cards After Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Berkman Klein Center for Internet & Society

Berkman Klein Center for Internet & Society

The Berkman Klein Center for Internet & Society is a research center at Harvard University that focuses on the study of cyberspace.

Cyber Security National Lab (CINI)

Cyber Security National Lab (CINI)

The Cyber Security National Lab brings together Italian academic excellence in Cyber Security research.

AET Europe

AET Europe

AET Europe is specialised in creating technological solutions for user identification and authentication.

PartnerRe

PartnerRe

PartnerRe Ltd. provides multi-line reinsurance to insurance companies on a worldwide basis. Services include Cyber Risk.

SureVine

SureVine

Surevine builds secure, scalable collaboration solutions for the most security conscious organisations, enabling collaboration on their most sensitive information.

Monegasque Digital Security Agency (AMSN)

Monegasque Digital Security Agency (AMSN)

AMSN is the national authority in charge of the security of information systems in Monaco.

Farsight Security

Farsight Security

Farsight Security provides the world’s largest real-time actionable threat intelligence on how the Internet is changing.

GoSecure

GoSecure

GoSecure Managed Detection and Response helps all organizations reduce dwell time by preventing breaches before they happen.

Transmit Security

Transmit Security

The Transmit Security Platform provides a solution for managing identity across applications while maintaining security and usability.

Sikich

Sikich

Sikich LLP is a leading professional services firm specializing in accounting, advisory, technology and managed services.

Resilience Cyber insurance

Resilience Cyber insurance

Resilience helps to improve cyber resilience by connecting cyber insurance coverage with advanced cybersecurity visibility and a shared plan to reinforce great cyber hygiene.

Munio

Munio

Munio is a leading Fortified IT Support and Cyber Security companies in the south east of the UK.

CyberNut

CyberNut

CyberNut are a security awareness training solution built exclusively for schools.

Qi An Xin (QAX)

Qi An Xin (QAX)

QAX is a listed company based in China, and a leader in cybersecurity industry, providing new generation enterprise-level and national-level cybersecurity solutions.

Siguria Kibernetike (Cyber Security)

Siguria Kibernetike (Cyber Security)

Siguria Kibernetike is a company based in Tirana that offers full service in the field of cyber and physical security.

CyberForce Global

CyberForce Global

CyberForce Global are at the forefront of start-up technology recruitment in areas including cybersecurity, IT infrastructure, software, fintech, blockchain and more.