Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Advantech WebAccess SQL Injection

Critical

Synopsis

Tenable discovered a new authenticated SQL injection vulnerability in Advantech WebAccess while researching the patches for TRA-2017-04. The SQL injection can be found in /WaExlViewer/rmTemplate.aspx in the method deleteTemplateByTemplateName.
public void deleteTemplateByTemplateName(string templateName)
{
    try
    {
        this.connectDB();
        if (this.conn.State == ConnectionState.Open)
        {
            string cmdText = "DELETE FROM rRptTemplate WHERE TemplateName='" + templateName + "'";
            OleDbCommand oleDbCommand = new OleDbCommand(cmdText, this.conn);
            OleDbDataReader oleDbDataReader = oleDbCommand.ExecuteReader();
            oleDbDataReader.Close();
            this.disconnectDB();
        }
    }
    catch (Exception ex)
    {
        this.writeLog(ex.ToString());
    }
}
Furthermore, Tenable realized that the authentication bypass detailed in CVE-2017-5152 was not properly patched. An unauthenticated remote attacker can combine these vulnerabilities to obtain the administrator password for the web interface.

Solution

Upgrade to Advantech WebAccess 8.2_20170817

Disclosure Timeline

2017-01-31 - Issue discovered
2017-02-02 - Issue submitted to ZDI, case bmartin0016
2017-02-14 - ZDI confirms vulnerability and accepts
2017-04-21 - ICS-CERT mails, says vendor has a new version, asks if we will test the fix
2017-04-21 - Tenable says yes
2017-04-24 - Tenable determines fix not complete, attack still works. Reports findings to ICS-CERT
2017-04-25 - ICS-CERT says they will pass on to vendor
2017-08-09 - ICS-CERT mails, says vendor has yet another new version and asks if Tenable will test
2017-08-17 - Tenable confirms fix
2017-08-29 - ICS-Cert releases advisory
2017-08-30 - ZDI releases advisory

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]