Tenable Research Advisory: Advantech WebAccess Remote Command Execution Still Exploitable
Tenable Researcher Chris Lyne discovered that Advantech WebAccess versions 8.3, 8.3.1 and 8.3.2 are still vulnerable to remote command execution CVE-2017-16720, which was originally disclosed by ZDI in January 2018 and has a public exploit.
Hintergrund
Tenable Research’s Chris Lyne has discovered that Advantech WebAccess remains unprotected against a public exploit several months after a patch was released. Vulnerable WebAccess instances remain susceptible to an unauthenticated remote code execution (RCE) attack (CVE-2017-16720). WebAccess versions 8.3, 8.3.1 and 8.3.2 are affected.
On January 4, 2018, ICS-CERT released ICSA-18-004-02A to detail several vulnerabilities reported for Advantech WebAccess. One of the vulnerabilities, CVE-2017-16720, which was also disclosed by the Zero Day Initiative (ZDI), allows an unauthenticated remote attacker to execute arbitrary system commands.
The mitigation section of the ICS-CERT advisory states, “Advantech has released WebAccess Version 8.3 to address the reported vulnerabilities.” In March, two months after the release of the ICS-CERT advisory, a public exploit leveraging CVE-2017-16720 was published to the Exploit Database.
Vulnerability details
This vulnerability allows for remote command execution via the Remote Procedure Call (RPC) protocol over TCP port 4592. By utilizing malicious Distributed Computing Environment / Remote Procedure Calls (DCERPC), the webvrpcs.exe service will pass command line instructions to the host.
The webvrpcs.exe service runs with administrator access rights, which means an attacker can take control of an asset at that privilege level.
Exploitation
There is a publicly available Proof of Concept (PoC) for this vulnerability. Little additional research would be required for an attacker to utilize this PoC against any WebAccess target.
Since this vulnerability was not previously patched, and a public exploit has been available for quite some time, up-to-date assets running WebAccess could have been exploited.
Reaktion des Anbieters
ICS-CERT indicates Advantech has a fix that will be released in September. We will update this section as we get more information, and remediation information becomes available.
Identifying Affected Systems
Tenable has the following plugin available for identifying vulnerable assets.
|
Plugin ID |
Beschreibung |
|
Advantech WebAccess/SCADA Network Service Detection |
Mehr erfahren:
- Visit the Tenable Techblog on Medium to read researcher Chris Lyne's in-depth story about his work uncovering this vulnerability.
- Visit the Tenable Research Advisories page to stay up-to-date on security vulnerabilities in third-party software discovered by a dedicated team supported by researchers and engineers at Tenable.
Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Verwandte Artikel
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
- Vulnerability Management