US Homeland Security Warns Of Dangerous SCADA Flaw

The US DHS Industrial Control Systems CERT (ICS-CERT) has warned organizations using Advantech’s ICS products to install an update that kills a remotely exploitable flaw in its WebAccess software. 

WebAccess is the Taiwanese company’s browser-based SCADA software for monitoring remote field devices. It’s known among security researchers as a type of SCADA Human Machine Interface (HMI) system and has been the focus of security research in part because of its use of Microsoft’s implementation of distributed computing  protocol, Remote Procedure Call (RPC). 

A researcher at Trend Micro discovered multiple vulnerabilities in WebAccess, the worst of which is a stack-based bugger overflow, tracked as CVE-2018-14816, that has a CVSS version 3 score of 9.8 out of a possible 10. Another path traversal flaw that may allow an attacker to execute arbitrary code was given the same score, while others rated 7.5 and 7.8 scores.   

As ICS-CERT notes, WebAccess is used in critical manufacturing, energy, water, and wastewater systems in East Asia, the US, and Europe. 

“Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, access files and perform actions at a privileged level, or delete files on the system,” ICS-CERT warns in its risk assessment. 

Advantech has released version 8.3.3 of WebAccess to fix the remotely exploitable bugs, which ICS-CERT emphasized requires a “low skill level to exploit”. WebAccess Versions 8.3.1 and prior are affected, according to ICS-CERT.  

Advantech’s WebAccess 8.3.3 release is available here where it details security updates for WebAccess on Windows 10, Windows 7, and Windows Server 2012 R2 machines.  

Fortunately, ICS-CERT is not aware of any public exploits targeting these vulnerabilities.

However, the latest fix follows the March release of a public exploit from a Tenable Security researcher Chris Lyne for an unauthenticated remote code execution flaw that worked against WebAccess versions 8.3, despite Advantech’s January release of WebAccess version 8.3 supposedly having addressed CVE-2017–16720, the flaw the exploit utilized. 

Lyne in July discovered his exploit also worked against the subsequently released WebAccess versions 8.3.1 and 8.3.2. 

“According to the WebAccess Support & Download page, 8.3.2 was released on August 17, 2018. It appears there was never a patch for this vulnerability,” Lyne wrote in September. 

He also found dozens of internet-exposed WebAccess instances through the IoT search engine, Shodan.io, which were likely a fraction of all WebAccess installations worldwide. 

WebAccess has become testing ground for researchers looking for bugs in Remote Procedure Call (RPC) protocols, which were developed in the pre-internet era and later implemented in Windows. 

Trend Micro’s Zero Day Initiative (ZDI) revealed in January this year that around 2016 it had paid for a “trove of vulnerability reports” written previously by an anonymous researcher who’d been investigating vulnerabilities in WebAccess RPC interfaces.   

ZDI researcher Fritz Sands explained that WebAccess installation and setup opens ports 4592 and 14592 for TCP traffic, which use RPC protocols to communicate with clients.  

Microsoft’s RPC implementation allows Windows machines to talk with other RPC-enabled systems, such as those that use Open Group’s Distributed Computing Environment (DCE) for RPC.   

“These ports are serviced by processes (webvrpcs.exe and datacore.exe) that run in the context of a local administrator. These ports use Remote Procedure Call (RPC) protocols to communicate with clients, and both of the RPC interfaces can be called from remote unauthenticated clients,” he noted. 

Sands, who was credited with reporting WebAccess bugs that were fixed in May, noted that code in Advantech’s WebAccess version 8.0 software package “contains many exploitable vulnerabilities” and encouraged hackers to use it test newer versions of WebAccess and then explore other products that use RPC services. 

CSO:

You Might Also Read:

US Accuses Russia Of Attacking Energy Infrastructure

« Britain Needs A Cyber Army To Defend Against Prolific Attacks
Lloyds Bank Is Replacing Customer Debit Cards After Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Checkmarx

Checkmarx

Checkmarx provides state-of-the-art application security solutions with static code analysis software.

Business Intelligence Associates (BIA)

Business Intelligence Associates (BIA)

BIA's TotalDiscovery is a defensible and cost-effective corporate preservation and legal compliance software solution.

CCN-CERT

CCN-CERT

CCN-CERT is the Spanish national government computer security incident response centre.

ControlCase

ControlCase

ControlCase provide solutions that address all aspects of IT-GRCM (Governance, Risk Management and Compliance Management).

Invensis Learning

Invensis Learning

Invensis Learning is a professional training and certification company providing IT Service Management, IT Security & Governance, DevOps, Cloud Computing and Digital Awareness training.

Ceerus

Ceerus

Ceerus was created to simplify the process of deploying and managing security across all the channels in an organisation.

CLDigital

CLDigital

CLDigital's no-code risk and resilience platform, CL360, provides leaders with risk and resilience data to make strategic and tactical continuity decisions.

Dreamlab Technologies

Dreamlab Technologies

Dreamlab specialises in securing critical IT infrastructures. We offer qualitative support and advice for managing your infrastructure and cyber security needs.

BLUECYFORCE

BLUECYFORCE

BLUECYFORCE is the leading professional training and cyber defense training organization in France.

Defscope

Defscope

Defscope is an Azerbaijani company entirely focused on cybersecurity offering training, security consulting, and other professional services.

AirITSystems

AirITSystems

AirITSystems offer companies comprehensive IT security solutions that take all security considerations into account and are tailored to your business.

Red Sky Alliance

Red Sky Alliance

Red Sky Alliance (Wapack Labs Corp) is a cyber threat intelligence firm that delivers proprietary intelligence data, analysis and in-depth strategic reporting.

Axitea

Axitea

Axitea designs, implements and develops the solutions best suited to its customers’ needs and their physical and cyber security requirements.

Cerby

Cerby

Your team uses unmanageable applications that put you, your company, and your data at risk. Protect, secure, and accelerate your business automatically with Cerby.

InterSec Inc.

InterSec Inc.

InterSec Inc. is a cybersecurity company that offers a variety of services to small and medium-sized businesses including CMMC Compliance, Program Management, Governance, & Cybersecurity.

SydeLabs

SydeLabs

At SydeLabs, our mission is to ensure the comprehensive security of your AI systems.