Advantech/Broadwin WebAccess RPC Vulnerability

Act NowICS-CERT ICSA-11-094-02BJan 5, 2011

Summary

Advantech WebAccess contains an unsafe RPC (Remote Procedure Call) handling vulnerability (CWE-94) that allows unauthenticated remote code execution. An attacker can send a malicious RPC request that bypasses input validation and executes arbitrary code on the WebAccess server. No patch has been made available by the vendor for affected versions.

What this means

What could happen

An attacker with network access to WebAccess could execute arbitrary code on the system, potentially gaining control of the industrial control system and altering process operations or shutting down critical functions.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Advantech WebAccess for remote monitoring, data collection, or SCADA gateway functions should assess their exposure. This affects any organization that has deployed WebAccess versions prior to 7.1_2013.05.30 for industrial process monitoring or control.

How it could be exploited

An attacker sends a specially crafted RPC (Remote Procedure Call) request to WebAccess. The application improperly validates or sanitizes the RPC input, allowing the attacker to inject and execute arbitrary code on the server hosting WebAccess.

Prerequisites

Network access to the WebAccess RPC interface (typically port 135 or dynamic RPC ports)
No authentication required to send RPC requests

remotely exploitableno authentication requiredno patch availablecode injection vulnerability (CWE-94)23.8% EPSS score indicates moderate exploitation likelihood

Exploitability

High exploit probability (EPSS 23.8%)

Affected products (1)

ProductAffected VersionsFix Status

WebAccess: <7.1_2013.05.30<7.1 2013.05.30No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDImplement network firewall rules to restrict RPC access (ports 135, 445, and dynamic RPC ports) to only trusted engineering workstations and secure administrative networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDMonitor RPC traffic to and from the WebAccess system for signs of exploitation attempts

Mitigations - no patch available

0/2

WebAccess: <7.1_2013.05.30 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlace WebAccess behind a network air-gap or demilitarized zone (DMZ) to isolate it from general plant network traffic and untrusted networks

HARDENINGEvaluate and plan migration away from WebAccess to a supported, patched alternative system, as no vendor fix is available for this product line

CVEs (1)

CVE-2011-4041

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e5d915d3-1c34-49eb-a99f-05bbf85aa936