Advantech WebAccess

Monitor7.1ICS-CERT ICSA-17-045-01Feb 14, 2017

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Advantech WebAccess versions 8.1 and earlier contain an improper access control vulnerability (CWE-427) in file permissions. An attacker with local user access to the WebAccess server can modify application files and cause execution of arbitrary code when the application restarts. Affected versions include all releases up to and including 8.1. The vendor has end-of-lifed this product and will not release a security patch.

What this means

What could happen

An attacker with local access to a WebAccess system could modify application files, causing operational disruption or enabling malicious commands to be executed on the device controlling critical processes.

Who's at risk

Water treatment and distribution facilities, electrical utilities, and other critical infrastructure operators using Advantech WebAccess version 8.1 or earlier for SCADA monitoring and control should assess their exposure. WebAccess is commonly deployed in plants with legacy supervisory systems that have not been modernized.

How it could be exploited

An attacker with local user access to the WebAccess application directory exploits insufficient file permissions (CWE-427) to overwrite application executable or script files. When WebAccess restarts or reloads components, the modified code executes with application privileges, allowing command execution or process manipulation.

Prerequisites

Local user account access to the WebAccess server
Write access to WebAccess application directories
Ability to restart or trigger reloading of the affected application component

Local exploitation requiredLow skill level to exploitNo patch available (end-of-life product)Affects industrial control systemCould allow code execution on critical systems

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

WebAccess:≤ 8.1No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict file and directory permissions on WebAccess installation folders to the service account only; remove write permissions for standard user and guest accounts

HARDENINGApply access controls to limit local logon to authorized personnel only; disable unnecessary local user accounts

HARDENINGIsolate WebAccess servers from general network access; restrict SSH/RDP access to authorized engineering workstations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor file integrity of WebAccess application directories; alert on unauthorized modifications

Mitigations - no patch available

0/1

WebAccess: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGEvaluate upgrading to a supported SCADA or HMI platform with active vendor support and security patches

CVEs (1)

CVE-2017-5175

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b5ccf38f-cbc6-4631-ab48-9efdbb1db090