US Homeland Security Warns Of Dangerous SCADA Flaw

The US DHS Industrial Control Systems CERT (ICS-CERT) has warned organizations using Advantech’s ICS products to install an update that kills a remotely exploitable flaw in its WebAccess software. 

WebAccess is the Taiwanese company’s browser-based SCADA software for monitoring remote field devices. It’s known among security researchers as a type of SCADA Human Machine Interface (HMI) system and has been the focus of security research in part because of its use of Microsoft’s implementation of distributed computing  protocol, Remote Procedure Call (RPC). 

A researcher at Trend Micro discovered multiple vulnerabilities in WebAccess, the worst of which is a stack-based bugger overflow, tracked as CVE-2018-14816, that has a CVSS version 3 score of 9.8 out of a possible 10. Another path traversal flaw that may allow an attacker to execute arbitrary code was given the same score, while others rated 7.5 and 7.8 scores.   

As ICS-CERT notes, WebAccess is used in critical manufacturing, energy, water, and wastewater systems in East Asia, the US, and Europe. 

“Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, access files and perform actions at a privileged level, or delete files on the system,” ICS-CERT warns in its risk assessment. 

Advantech has released version 8.3.3 of WebAccess to fix the remotely exploitable bugs, which ICS-CERT emphasized requires a “low skill level to exploit”. WebAccess Versions 8.3.1 and prior are affected, according to ICS-CERT.  

Advantech’s WebAccess 8.3.3 release is available here where it details security updates for WebAccess on Windows 10, Windows 7, and Windows Server 2012 R2 machines.  

Fortunately, ICS-CERT is not aware of any public exploits targeting these vulnerabilities.

However, the latest fix follows the March release of a public exploit from a Tenable Security researcher Chris Lyne for an unauthenticated remote code execution flaw that worked against WebAccess versions 8.3, despite Advantech’s January release of WebAccess version 8.3 supposedly having addressed CVE-2017–16720, the flaw the exploit utilized. 

Lyne in July discovered his exploit also worked against the subsequently released WebAccess versions 8.3.1 and 8.3.2. 

“According to the WebAccess Support & Download page, 8.3.2 was released on August 17, 2018. It appears there was never a patch for this vulnerability,” Lyne wrote in September. 

He also found dozens of internet-exposed WebAccess instances through the IoT search engine, Shodan.io, which were likely a fraction of all WebAccess installations worldwide. 

WebAccess has become testing ground for researchers looking for bugs in Remote Procedure Call (RPC) protocols, which were developed in the pre-internet era and later implemented in Windows. 

Trend Micro’s Zero Day Initiative (ZDI) revealed in January this year that around 2016 it had paid for a “trove of vulnerability reports” written previously by an anonymous researcher who’d been investigating vulnerabilities in WebAccess RPC interfaces.   

ZDI researcher Fritz Sands explained that WebAccess installation and setup opens ports 4592 and 14592 for TCP traffic, which use RPC protocols to communicate with clients.  

Microsoft’s RPC implementation allows Windows machines to talk with other RPC-enabled systems, such as those that use Open Group’s Distributed Computing Environment (DCE) for RPC.   

“These ports are serviced by processes (webvrpcs.exe and datacore.exe) that run in the context of a local administrator. These ports use Remote Procedure Call (RPC) protocols to communicate with clients, and both of the RPC interfaces can be called from remote unauthenticated clients,” he noted. 

Sands, who was credited with reporting WebAccess bugs that were fixed in May, noted that code in Advantech’s WebAccess version 8.0 software package “contains many exploitable vulnerabilities” and encouraged hackers to use it test newer versions of WebAccess and then explore other products that use RPC services. 

CSO:

You Might Also Read:

US Accuses Russia Of Attacking Energy Infrastructure

« Britain Needs A Cyber Army To Defend Against Prolific Attacks
Lloyds Bank Is Replacing Customer Debit Cards After Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ASIS International

ASIS International

ASIS International is a global community of security practitioners with a role in the protection of assets - people, property, and/or information.

Arxan Technologies

Arxan Technologies

Arxan is a leader of application attack-prevention and self-protection products for Internet of Things (IoT), Mobile, Desktop, and other applications.

CyberGreen Institute

CyberGreen Institute

The CyberGreen Institute is a global non-profit and collaborative organization conducting activities focused on helping to improve the health of the global Cyber Ecosystem.

macmon secure

macmon secure

macmon secure develops network security software, focussing on Network Access Control.

BioConnect

BioConnect

BioConnect provide biometric access control solutions to verify a person’s identity across physical, IOT and digital applications.

CyberGuru

CyberGuru

CyberGuru is a service provided by CyberSecurity Malaysia specializing in cyber security professional training and development.

DreamIt Ventures

DreamIt Ventures

DreamIt Ventures is an early stage venture fund that accelerates startups building transformative tech products in the fields of Healthtech, Securetech, and Urbantech.

NSA Career Development Programs

NSA Career Development Programs

NSA offers entry-level programs to help employees enhance their skills, improve their understanding of a specific discipline and even cross-train into a new career field.

BrandShield

BrandShield

BrandShield is an anti-counterfeiting, anti-phishing and online brand protection solution.

eXate

eXate

eXate provides pioneering technology that empowers organisations to protect, control and manage their sensitive data centrally, providing a complete data privacy solution.

Templar Shield

Templar Shield

Templar Shield is a premier information security, risk and compliance technology professional services firm serving North America.

xorlab

xorlab

xorlab is a Swiss cybersecurity company providing specialized, machine-intelligent defense against highly engineered, sophisticated and targeted email attacks.

Terra Quantum

Terra Quantum

Terra Quantum is a deep tech pioneer, developing revolutionary quantum applications to shape the technology of the future.

Lansweeper

Lansweeper

Lansweeper is an IT Asset Management platform provider helping businesses better understand, manage and protect their IT devices and network.

Positka FSI Pte Ltd

Positka FSI Pte Ltd

Positka, being a Splunk Singapore partner, provides Splunk & Phantom Services, Cybersecurity & Risk Management, Analytics & Big Data, Lean Process Optimization, and Managed Security Services.

Cyber and Fraud Centre – Scotland

Cyber and Fraud Centre – Scotland

The Cyber and Fraud Centre – Scotland exists to ensure Scottish organisations are as resilient as they can be against cyber and fraud crime.