US Homeland Security Warns Of Dangerous SCADA Flaw

The US DHS Industrial Control Systems CERT (ICS-CERT) has warned organizations using Advantech’s ICS products to install an update that kills a remotely exploitable flaw in its WebAccess software. 

WebAccess is the Taiwanese company’s browser-based SCADA software for monitoring remote field devices. It’s known among security researchers as a type of SCADA Human Machine Interface (HMI) system and has been the focus of security research in part because of its use of Microsoft’s implementation of distributed computing  protocol, Remote Procedure Call (RPC). 

A researcher at Trend Micro discovered multiple vulnerabilities in WebAccess, the worst of which is a stack-based bugger overflow, tracked as CVE-2018-14816, that has a CVSS version 3 score of 9.8 out of a possible 10. Another path traversal flaw that may allow an attacker to execute arbitrary code was given the same score, while others rated 7.5 and 7.8 scores.   

As ICS-CERT notes, WebAccess is used in critical manufacturing, energy, water, and wastewater systems in East Asia, the US, and Europe. 

“Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, access files and perform actions at a privileged level, or delete files on the system,” ICS-CERT warns in its risk assessment. 

Advantech has released version 8.3.3 of WebAccess to fix the remotely exploitable bugs, which ICS-CERT emphasized requires a “low skill level to exploit”. WebAccess Versions 8.3.1 and prior are affected, according to ICS-CERT.  

Advantech’s WebAccess 8.3.3 release is available here where it details security updates for WebAccess on Windows 10, Windows 7, and Windows Server 2012 R2 machines.  

Fortunately, ICS-CERT is not aware of any public exploits targeting these vulnerabilities.

However, the latest fix follows the March release of a public exploit from a Tenable Security researcher Chris Lyne for an unauthenticated remote code execution flaw that worked against WebAccess versions 8.3, despite Advantech’s January release of WebAccess version 8.3 supposedly having addressed CVE-2017–16720, the flaw the exploit utilized. 

Lyne in July discovered his exploit also worked against the subsequently released WebAccess versions 8.3.1 and 8.3.2. 

“According to the WebAccess Support & Download page, 8.3.2 was released on August 17, 2018. It appears there was never a patch for this vulnerability,” Lyne wrote in September. 

He also found dozens of internet-exposed WebAccess instances through the IoT search engine, Shodan.io, which were likely a fraction of all WebAccess installations worldwide. 

WebAccess has become testing ground for researchers looking for bugs in Remote Procedure Call (RPC) protocols, which were developed in the pre-internet era and later implemented in Windows. 

Trend Micro’s Zero Day Initiative (ZDI) revealed in January this year that around 2016 it had paid for a “trove of vulnerability reports” written previously by an anonymous researcher who’d been investigating vulnerabilities in WebAccess RPC interfaces.   

ZDI researcher Fritz Sands explained that WebAccess installation and setup opens ports 4592 and 14592 for TCP traffic, which use RPC protocols to communicate with clients.  

Microsoft’s RPC implementation allows Windows machines to talk with other RPC-enabled systems, such as those that use Open Group’s Distributed Computing Environment (DCE) for RPC.   

“These ports are serviced by processes (webvrpcs.exe and datacore.exe) that run in the context of a local administrator. These ports use Remote Procedure Call (RPC) protocols to communicate with clients, and both of the RPC interfaces can be called from remote unauthenticated clients,” he noted. 

Sands, who was credited with reporting WebAccess bugs that were fixed in May, noted that code in Advantech’s WebAccess version 8.0 software package “contains many exploitable vulnerabilities” and encouraged hackers to use it test newer versions of WebAccess and then explore other products that use RPC services. 

CSO:

You Might Also Read:

US Accuses Russia Of Attacking Energy Infrastructure

« Britain Needs A Cyber Army To Defend Against Prolific Attacks
Lloyds Bank Is Replacing Customer Debit Cards After Cyber Attacks »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CloudDNA

CloudDNA

CloudDNA deliver solutions that enable users and devices to connect over high performance, secure, efficient, scalable cloud networks.

Paramount Computer Systems

Paramount Computer Systems

Paramount is a regional leader in the Middle East for cybersecurity solutions and consulting services.

National Association of State Chief Information Officers (NASCIO)

National Association of State Chief Information Officers (NASCIO)

NASCIO's Cybersecurity Committee focuses helps state CIOs to formulate high-level security and data protection policies and technical controls.

Echoworx

Echoworx

Echoworx primary and exclusive focus is providing organizations with secure email services.

ShiftLeft

ShiftLeft

ShiftLeft is a continuous application security platform, purpose-built for the modern software development life cycle.

Get Indemnity

Get Indemnity

Get Indemnity are specialist insurance brokers with experience working on a wide range of innovative business insurance products that combine risk management, indemnity and incident response services.

MSPAlliance

MSPAlliance

MSPAlliance is the world’s largest industry association and certification body for cloud computing and managed service professionals.

Semmle

Semmle

Semmle's code analysis platform helps teams find zero-days and automate variant analysis. Secure your code with continuous security analysis and automated code review.

Campus cyber

Campus cyber

A project initiated by the President of the Republic, the Cyber Campus is the totem site of cybersecurity that brings together the main national and international players in the field.

RB42

RB42

RB42 (formerly Nexa Technologies) provide cyber defense solutions (ComUnity, secure and encrypted messaging, detection of interception tools, etc) and cyber defense consultancy service.

Circle Security

Circle Security

Circle’s breakthrough security API unifies solutions for identity and data security into one architecture and empowers organizations to secure their identity, data and privacy in their applications.

OneCollab

OneCollab

OneCollab, your unwavering ally in the dynamic landscape of IT services and cybersecurity.

Diversified Technical Services Inc. (DTSI)

Diversified Technical Services Inc. (DTSI)

DTSI provides a wide range of technology solutions for Federal Agencies, the Department of Defense, and commerical organizations with capabilities including Cyber Security and DevSecOps.

PDI Technologies

PDI Technologies

PDI Technologies helps convenience retail and petroleum wholesale businesses around the globe increase efficiency and profitability by securely connecting their data and operations.

Intraframe US

Intraframe US

Intraframe US is a cybersecurity company in Memphis, specializing in Digital Forensics Incident Response and Managed IT services. We provide SMBs with a 24/7 SOC for proactive Cyber Threat Management.

Securafy

Securafy

At Securafy, we understand how important it is to have the right IT partner by your side. For over 30 years, we’ve helped businesses stay secure, connected, and compliant.