Advantech WebAccess < 7.2-2013.11.14 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 9957

Synopsis

The detected version of Advantech WebAccess may be affected by multiple attack vectors.

Description

The installed version of Advantech WebAccess is prior to 7.2-2013.11.14 and is affected by the following vulnerabilities :

- Multiple SQL Injection vulnerabilities exist in 'DBVisitor.dll' that can be exploited via specially crafted SOAP requests. (CVE-2014-0763)
- Multiple stack-based buffer overflow conditions exist in an unspecified ActiveX control. (CVE-2014-0764, CVE-2014-0765, CVE-2014-0766, CVE-2014-0767, CVE-2014-0768)
- The 'NodeName' parameter on the web interface is affected by a buffer overflow vulnerability. (CVE-2014-0770)
- An unspecified ActiveX control contains a flaw that allows attackers to read arbitrary files. (CVE-2014-0771, CVE-2014-0772)
- An unspecified ActiveX control contains a flaw that allows certain executable names to be run from arbitrary path names. (CVE-2014-0773)

Solution

Upgrade to Advantech WebAccess version 7.2-2013.11.14 or later.

See Also

http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03

https://ics-cert.us-cert.gov//advisories/ICSA-14-261-01

http://www.coresecurity.com/advisories/advantech-webaccess-vulnerabilities

http://www.zerodayinitiative.com/advisories/ZDI-14-072

http://www.zerodayinitiative.com/advisories/ZDI-14-073

http://www.zerodayinitiative.com/advisories/ZDI-14-074

http://www.zerodayinitiative.com/advisories/ZDI-14-075

http://www.zerodayinitiative.com/advisories/ZDI-14-076

http://www.zerodayinitiative.com/advisories/ZDI-14-077

http://www.zerodayinitiative.com/advisories/ZDI-14-116

http://www.zerodayinitiative.com/advisories/ZDI-14-137

http://www.zerodayinitiative.com/advisories/ZDI-14-138

http://www.zerodayinitiative.com/advisories/ZDI-14-139

Plugin Details

Severity: High

ID: 9957

Family: SCADA

Published: 2/14/2017

Updated: 3/6/2019

Nessus ID: 85411

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:advantech:advantech_webaccess

Patch Publication Date: 2/16/2012

Vulnerability Publication Date: 2/16/2012

Reference Information

CVE: CVE-2014-0763, CVE-2014-0764, CVE-2014-0765, CVE-2014-0766, CVE-2014-0767, CVE-2014-0768, CVE-2014-0770, CVE-2014-0771, CVE-2014-0772, CVE-2014-0773

BID: 66718, 66722, 66725, 66728, 66732, 66740, 66750, 66749, 66742, 66733