Advantech WebAccess < 7.0-2009.06.29 Multiple Vulnerabilities

critical Nessus Plugin ID 85691

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

The version of Advantech WebAccess running on the remote host is prior to version 7.0-2009.06.29. It is, therefore, affected by multiple vulnerabilities :

- SQL injection vulnerabilities exist due to unspecified input not being properly sanitized before processing SQL queries. An unauthenticated, remote attacker can exploit these to inject SQL queries against the database, resulting in the disclosure or manipulation of arbitrary data. (CVE-2011-4521, CVE-2012-0234, CVE-2012-0244)

- Unspecified cross-site scripting vulnerabilities exist due to improper validation of input data submitted to scripts bwerrdn.asp and bwview.asp. A remote attacker, using a specially crafted URL, can exploit these to execute arbitrary script code in the browser in the context of the user's session. (CVE-2011-4522, CVE-2011-4523)

- A buffer overflow condition exists due to a failure to properly sanitize user-supplied input. A remote, unauthenticated attacker, by using a very long string passed to unspecified parameters, can exploit this to execute arbitrary code. (CVE-2011-4524)

- A flaw exists that allows extracting arbitrary web page content into a batch file, which can then be executed.
An unauthenticated, remote attacker can exploit this to write files to the server, allowing the execution of arbitrary code. (CVE-2011-4525)

- A buffer overflow condition exists due to a failure to properly sanitize user-supplied input to unspecified ActiveX parameters. An unauthenticated, remote attacker can exploit this, using a crafted long string, to execute arbitrary code. (CVE-2011-4526)

- A cross-site scripting vulnerability exists due to improper validation of unspecified input before returning it to the user. A remote attacker, using a specially crafted URL, can exploit this to execute arbitrary script code in the browser in the context of the user's session. (CVE-2012-0233)

- An unspecified cross-site request forgery (XSRF) vulnerability exists due to WebAccess not requiring explicit confirmation from the user for sensitive transactions. An attacker, by using a specially crafted GET request embedded in an 'img' tag, can exploit this vulnerability to execute commands in the context of the session between an authenticated user and the application. (CVE-2012-0235)

- An unspecified information disclosure vulnerability exists that allows an unauthenticated, remote attacker to obtain sensitive information by using a direct request to a URL. (CVE-2012-0236)

- A flaw exists that allows an unauthenticated, remote attacker to enable or disable the date and time syncing operations by using a crafted URL. (CVE-2012-0237)

- A stack-based buffer overflow condition exists in opcImg.asp due to a failure to properly sanitize user-supplied input. An unauthenticated, remote attacker can exploit this to execute arbitrary code.
(CVE-2012-0238)

- A flaw exits in the uaddUpAdmin.asp script due to an authentication failure, which allows a remote attacker to modify an administrative password using a change password request. (CVE-2012-0239)

- A flaw exists in the authentication function in the GbScriptAddUp.asp script, which allows a remote attacker to execute arbitrary code. (CVE-2012-0240)

- A memory corruption issue exists in the WriteTextData() and CloseFile() functions due to a failure to properly sanitize user-supplied input. A remote attacker, by using a crafted value in the 'fpt' parameter, can exploit this to cause a denial of service or execute arbitrary code. (CVE-2012-0241)

- A flaw in the bwocxrun.ocx ActiveX control exists due to a failure by the OcxSpool() method to properly sanitize user-supplied string format specifiers. A remote, unauthenticated attacker, by using crafted specifiers, can exploit this to execute arbitrary code.
(CVE-2012-0242)

- A buffer overflow condition exists in the bwocxrun.ocx ActiveX control due to a failure to properly sanitize user-supplied input. A remote attacker can exploit this to write arbitrary files to any pathname, allowing the execution of arbitrary code. (CVE-2012-0243)

- An unspecified SQL injection vulnerability exists due to input not being properly sanitized before processing SQL queries, which resulted from an incomplete fix for issue CVE-2012-0234. An unauthenticated, remote attacker can exploit this vulnerability to inject SQL queries against the database, resulting in the disclosure or manipulation of arbitrary data. (CVE-2012-1234)

Solution

Upgrade to Advantech WebAccess version 7.0-2009.06.29 or higher.

See Also

http://www.nessus.org/u?b24f9dd5

https://ics-cert.us-cert.gov/advisories/ICSA-12-047-01A

Plugin Details

Severity: Critical

ID: 85691

File Name: scada_advantech_webaccess_7_0_2009_06_29.nbin

Version: 1.119

Type: remote

Family: SCADA

Published: 8/28/2015

Updated: 3/19/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:advantech:advantech_webaccess

Required KB Items: www/scada_advantech_webaccess

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/29/2009

Vulnerability Publication Date: 8/27/2011

Reference Information

CVE: CVE-2011-4521, CVE-2011-4522, CVE-2011-4523, CVE-2011-4524, CVE-2011-4525, CVE-2011-4526, CVE-2012-0233, CVE-2012-0234, CVE-2012-0235, CVE-2012-0236, CVE-2012-0237, CVE-2012-0238, CVE-2012-0239, CVE-2012-0240, CVE-2012-0241, CVE-2012-0242, CVE-2012-0243, CVE-2012-0244, CVE-2012-1234

BID: 52051

ICSA: 12-047-01A