Advantech WebAccess ActiveX Vulnerabilities (Update A)

Act Now6.6ICS-CERT ICSA-16-173-01AMar 25, 2016

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Advantech WebAccess versions 8.1_20160519 and earlier contain multiple ActiveX control vulnerabilities (CWE-623, CWE-120, CWE-200). These allow code execution and information disclosure through unsafe memory operations and improper validation in the WebAccess ActiveX controls. An attacker could exploit these flaws to run arbitrary code or read sensitive data if a user interacts with a malicious file or webpage while authenticated to WebAccess.

What this means

What could happen

An attacker with local access to a machine running WebAccess could execute arbitrary code or read sensitive data like engineering credentials or process configuration, potentially allowing them to modify industrial processes or extract plant data.

Who's at risk

Advantech WebAccess is widely used by water utilities, wastewater treatment plants, and electric utilities for SCADA configuration and remote monitoring. Engineering staff and plant operators who use WebAccess for process control and parameter adjustment are at risk.

How it could be exploited

An attacker would need to trick an authenticated WebAccess user into opening a malicious file or visiting a compromised website on their workstation. The ActiveX control would then execute arbitrary code with the privileges of the logged-in user, allowing modification of process configurations or theft of credentials.

Prerequisites

Authenticated user logged into WebAccess workstation
User interaction required (opening file, clicking link)
Local access to the user's machine or ability to deliver malicious content to that machine

no patch availablerequires user interactionlocal access requiredhigh EPSS score (25.4%)affects engineering workstations with access to control systems

Exploitability

High exploit probability (EPSS 25.4%)

Affected products (1)

ProductAffected VersionsFix Status

WebAccess: <=8.1_20160519≤ 8.1 20160519No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable ActiveX controls in web browsers on engineering workstations where possible

HARDENINGEducate users not to open untrusted files or click suspicious links while logged into WebAccess

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGApply the principle of least privilege: run WebAccess with non-administrator accounts

Mitigations - no patch available

0/2

WebAccess: <=8.1_20160519 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate engineering workstations running WebAccess from general corporate networks and the Internet

HARDENINGMonitor file downloads and email attachments on engineering workstations for suspicious content

CVEs (3)

CVE-2016-4525 CVE-2016-4528 CVE-2016-5810

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6528e61c-c91b-4bbd-b307-f1be744fc131