US Homeland Security Warns Of Dangerous SCADA Flaw

The US DHS Industrial Control Systems CERT (ICS-CERT) has warned organizations using Advantech’s ICS products to install an update that kills a remotely exploitable flaw in its WebAccess software. 

WebAccess is the Taiwanese company’s browser-based SCADA software for monitoring remote field devices. It’s known among security researchers as a type of SCADA Human Machine Interface (HMI) system and has been the focus of security research in part because of its use of Microsoft’s implementation of distributed computing  protocol, Remote Procedure Call (RPC). 

A researcher at Trend Micro discovered multiple vulnerabilities in WebAccess, the worst of which is a stack-based bugger overflow, tracked as CVE-2018-14816, that has a CVSS version 3 score of 9.8 out of a possible 10. Another path traversal flaw that may allow an attacker to execute arbitrary code was given the same score, while others rated 7.5 and 7.8 scores.   

As ICS-CERT notes, WebAccess is used in critical manufacturing, energy, water, and wastewater systems in East Asia, the US, and Europe. 

“Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, access files and perform actions at a privileged level, or delete files on the system,” ICS-CERT warns in its risk assessment. 

Advantech has released version 8.3.3 of WebAccess to fix the remotely exploitable bugs, which ICS-CERT emphasized requires a “low skill level to exploit”. WebAccess Versions 8.3.1 and prior are affected, according to ICS-CERT.  

Advantech’s WebAccess 8.3.3 release is available here where it details security updates for WebAccess on Windows 10, Windows 7, and Windows Server 2012 R2 machines.  

Fortunately, ICS-CERT is not aware of any public exploits targeting these vulnerabilities.

However, the latest fix follows the March release of a public exploit from a Tenable Security researcher Chris Lyne for an unauthenticated remote code execution flaw that worked against WebAccess versions 8.3, despite Advantech’s January release of WebAccess version 8.3 supposedly having addressed CVE-2017–16720, the flaw the exploit utilized. 

Lyne in July discovered his exploit also worked against the subsequently released WebAccess versions 8.3.1 and 8.3.2. 

“According to the WebAccess Support & Download page, 8.3.2 was released on August 17, 2018. It appears there was never a patch for this vulnerability,” Lyne wrote in September. 

He also found dozens of internet-exposed WebAccess instances through the IoT search engine, Shodan.io, which were likely a fraction of all WebAccess installations worldwide. 

WebAccess has become testing ground for researchers looking for bugs in Remote Procedure Call (RPC) protocols, which were developed in the pre-internet era and later implemented in Windows. 

Trend Micro’s Zero Day Initiative (ZDI) revealed in January this year that around 2016 it had paid for a “trove of vulnerability reports” written previously by an anonymous researcher who’d been investigating vulnerabilities in WebAccess RPC interfaces.   

ZDI researcher Fritz Sands explained that WebAccess installation and setup opens ports 4592 and 14592 for TCP traffic, which use RPC protocols to communicate with clients.  

Microsoft’s RPC implementation allows Windows machines to talk with other RPC-enabled systems, such as those that use Open Group’s Distributed Computing Environment (DCE) for RPC.   

“These ports are serviced by processes (webvrpcs.exe and datacore.exe) that run in the context of a local administrator. These ports use Remote Procedure Call (RPC) protocols to communicate with clients, and both of the RPC interfaces can be called from remote unauthenticated clients,” he noted. 

Sands, who was credited with reporting WebAccess bugs that were fixed in May, noted that code in Advantech’s WebAccess version 8.0 software package “contains many exploitable vulnerabilities” and encouraged hackers to use it test newer versions of WebAccess and then explore other products that use RPC services. 

CSO:

You Might Also Read:

US Accuses Russia Of Attacking Energy Infrastructure

« Britain Needs A Cyber Army To Defend Against Prolific Attacks
Lloyds Bank Is Replacing Customer Debit Cards After Cyber Attacks »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

UCD Centre for Cybersecurity and Cybercrime Investigation

UCD Centre for Cybersecurity and Cybercrime Investigation

UCD Centre for Cybersecurity and Cybercrime Investigation is Europe's leading centre for research & education in cybersecurity, cybercrime and digital forensics.

Giesecke+Devrient (G+D)

Giesecke+Devrient (G+D)

Giesecke+Devrient develop security technologies in four major areas: enabling secure payment, providing trusted connectivity, safeguarding identities and protecting digital infrastructures.

Exonar

Exonar

We enable organisations to better organise their information, removing risk and making it more productive and secure.

Telesoft Technologies

Telesoft Technologies

Telesoft Technologies is a global provider of cyber security, telecom and government infrastructure products and services.

HexaTrust

HexaTrust

The HEXATRUST club was founded by a group of French SMEs that are complementary players with expertise in information security systems, cybersecurity, cloud confidence and digital trust.

ERMProtect

ERMProtect

ERMProtect is a leading Information Security & Training Company that helps businesses improve their cybersecurity posture and comply with regulations.

NewGens

NewGens

NewGens is a solution and service provider to banking institutions in the APAC region. Areas of expertise include cybersecurity, AML, fruad prevention, compliance and risk management.

Keyless Technologies

Keyless Technologies

Simple, secure, and interoperable authentication. Keyless offers unmatched security, privacy and usability, while reducing risk and infrastructure costs.

AVANTEC

AVANTEC

AVANTEC is the leading Swiss provider of IT security solutions in the areas of cloud, content, network and endpoint security.

Aware

Aware

Aware is the only comprehensive AI solution for governance, risk, compliance and insights for leading collaboration platforms.

Regulativ.ai

Regulativ.ai

Regulativ.ai is an innovative and comprehensive platform, driven by AI, to address the regulatory and compliance needs of Cyber Security Regulatory compliance and reporting.

Opora

Opora

Opora is the leading cybersecurity provider of adversary behavior analytics “ABA” and preemptive security solutions.

HighGround

HighGround

HighGround offer a Cyber Security Solution for everybody, regardless of skillset, to feel empowered in their security experience in reaching Cyber Resilience.

Judy Security

Judy Security

Judy provides smart, simple, effective, all-in-one cybersecurity for SMBs. Get the 24/7 protection and support you deserve, at a price you can afford.

Omdia

Omdia

Omdia is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Driven Technologies

Driven Technologies

Driven is a cloud native service provider transforming the way companies leverage technology to improve business by securing, modernizing, and connecting applications, users, and data.