Advantech WebAccess < 7.0-2011.08.27 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9954

Synopsis

The detected version of Advantech WebAccess may be affected by multiple attack vectors.

Description

The installed version of Advantech WebAccess is prior to 7.0-2011.08.27 and is affected by the following vulnerabilities :

- An overflow condition exists in the bundled 'bwscript.dll' ActiveX control that is triggered as user-supplied input is not properly validated. With a specially crafted web page, a context-dependent attacker can cause a buffer overflow, potentially allowing the execution of arbitrary code. (OSVDB 124951)
- An overflow condition exists in the bundled 'webdobj.dll' ActiveX control that is triggered as user-supplied input is not properly validated. With a specially crafted web page, a context-dependent attacker can cause a buffer overflow, potentially allowing the execution of arbitrary code. (OSVDB 124952)

Solution

Upgrade to Advantech WebAccess version 7.0-2011.08.27 or later.

See Also

http://advantech.vo.llnwd.net/o35/www/webaccess/WebAccess%208.0/Version%208.0.htm

http://webaccess.advantech.com/downloads/Release%20Notes%20Candidate.htm

Plugin Details

Severity: High

ID: 9954

File Name: 9954.prm

Family: SCADA

Published: 2017/02/14

Modified: 2017/02/14

Dependencies: 9860

Nessus ID: 85543

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:advantech:advantech_webaccess

Patch Publication Date: 2011/08/27

Vulnerability Publication Date: 2011/08/27

Reference Information

OSVDB: 124951, 124952