Rewterz Threat Advisory – Industrial control Advantech WebAccess/SCADA Multiple Vulnerabilities

Severity

High

Analysis Summary

CVE-2019-10985

A path traversal vulnerability is caused by a lack of proper validation of a user-supplied path prior to use in file operations. An attacker can leverage this vulnerability to delete files while posing as an administrator.

CVE-2019-10991

Multiple stack-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

CVE-2019-10989

Multiple heap-based buffer overflow vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

CVE-2019-10983

An out-of-bounds read vulnerability is caused by a lack of proper validation of user-supplied data. Exploitation of this vulnerability may allow disclosure of information.

CVE-2019-10987

Multiple out-of-bounds write vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

CVE-2019-10987

Multiple out-of-bounds write vulnerabilities are caused by a lack of proper validation of the length of user-supplied data. Exploitation of these vulnerabilities may allow remote code execution.

CVE-2019-10993

Multiple untrusted pointer dereference vulnerabilities may allow a remote attacker to execute arbitrary code.

Impact

• Information disclosure
• Deletion of files
• Remote code execution

Affected Vendors

Advantech

Affected Products

WebAccess/SCADA

Remediation

Advantech has released Version 8.4.1 of WebAccess/SCADA to address the reported vulnerabilities.

https://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV&Doc_Source=Download