Advantech WebAccess < 7.2-2013.11.14 Multiple Vulnerabilities

High Nessus Network Monitor Plugin ID 9957

Synopsis

The detected version of Advantech WebAccess may be affected by multiple attack vectors.

Description

The installed version of Advantech WebAccess is prior to 7.2-2013.11.14 and is affected by the following vulnerabilities :

- Multiple SQL Injection vulnerabilities exist in 'DBVisitor.dll' that can be exploited via specially crafted SOAP requests. (CVE-2014-0763)
- Multiple stack-based buffer overflow conditions exist in an unspecified ActiveX control. (CVE-2014-0764, CVE-2014-0765, CVE-2014-0766, CVE-2014-0767, CVE-2014-0768)
- The 'NodeName' parameter on the web interface is affected by a buffer overflow vulnerability. (CVE-2014-0770)
- An unspecified ActiveX control contains a flaw that allows attackers to read arbitrary files. (CVE-2014-0771, CVE-2014-0772)
- An unspecified ActiveX control contains a flaw that allows certain executable names to be run from arbitrary path names. (CVE-2014-0773)

Solution

Upgrade to Advantech WebAccess version 7.2-2013.11.14 or later.

See Also

http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03

https://ics-cert.us-cert.gov//advisories/ICSA-14-261-01

http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities

http://www.zerodayinitiative.com/advisories/ZDI-14-072

http://www.zerodayinitiative.com/advisories/ZDI-14-073

http://www.zerodayinitiative.com/advisories/ZDI-14-074

http://www.zerodayinitiative.com/advisories/ZDI-14-075

http://www.zerodayinitiative.com/advisories/ZDI-14-076

http://www.zerodayinitiative.com/advisories/ZDI-14-077

http://www.zerodayinitiative.com/advisories/ZDI-14-116

http://www.zerodayinitiative.com/advisories/ZDI-14-137

http://www.zerodayinitiative.com/advisories/ZDI-14-138

http://www.zerodayinitiative.com/advisories/ZDI-14-139

Plugin Details

Severity: High

ID: 9957

File Name: 9957.prm

Family: SCADA

Published: 2017/02/14

Modified: 2017/02/14

Dependencies: 9860

Nessus ID: 85411

Risk Information

Risk Factor: High

CVSSv2

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:advantech:advantech_webaccess

Patch Publication Date: 2012/02/16

Vulnerability Publication Date: 2012/02/16

Reference Information

CVE: CVE-2014-0763, CVE-2014-0764, CVE-2014-0765, CVE-2014-0766, CVE-2014-0767, CVE-2014-0768, CVE-2014-0770, CVE-2014-0771, CVE-2014-0772, CVE-2014-0773

BID: 66718, 66722, 66725, 66728, 66732, 66733, 66740, 66742, 66749, 66750

OSVDB: 105564, 105565, 105566, 105567, 105568, 105569, 105570, 105571, 105572, 105573