Advantech WebAccess webvrpcs.exe Path Traversal RCE

Critical Nessus Plugin ID 117360

Synopsis

The remote host is running a web application that is affected by a path traversal vulnerability.

Description

The Advantech WebAccess/SCADA Network Service (webvrpcs.exe) running on the remote host is affected by a path traversal vulnerability due to the failure to properly validate user-supplied input when processing a DCERPC request. An unauthenticated, remote attacker can exploit this, via a series of crafted requests, to execute arbitrary code.

Note that this vulnerability is supposedly fixed in WebAccess version 8.3, but it appears that versions 8.3.1 and 8.3.2 are still vulnerable.

Solution

Contact vendor for solution.

See Also

https://ics-cert.us-cert.gov/advisories/ICSA-18-004-02A

http://www.zerodayinitiative.com/advisories/ZDI-18-024/

https://www.exploit-db.com/exploits/44278/

Plugin Details

Severity: Critical

ID: 117360

File Name: scada_advantech_webaccess_cve-2017-16720.nbin

Version: 1.2

Type: remote

Family: SCADA

Published: 2018/09/10

Modified: 2018/09/13

Dependencies: 117361

Risk Information

Risk Factor: Critical

CVSS Score Source: manual

CVSS Score Rationale: Unauthenticated rce is achievable with default configuration under the context of administrator.

CVSSv2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSSv3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:advantech:webaccess

Exploited by Nessus: true

Vulnerability Publication Date: 2018/01/04

Reference Information

CVE: CVE-2017-16720

BID: 102424

ICSA: 18-004-02A

ZDI: ZDI-18-024

TRA: TRA-2018-23