Advantech WebAccess HMI Designer

Monitor6.3ICS-CERT ICSA-18-114-03Apr 24, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Advantech WebAccess HMI Designer versions 2.1.7.32 and earlier contain buffer overflow and memory corruption vulnerabilities (CWE-122, CWE-415, CWE-787) that allow remote code execution over the network without authentication. The application fails to properly validate or bounds-check network input, permitting an attacker to send specially crafted requests that overflow memory buffers and execute arbitrary code in the context of the HMI Designer process.

What this means

What could happen

An attacker could run arbitrary code on the HMI Designer application through a network request, potentially allowing them to modify displayed information, alter engineering configurations, or disrupt control system design and monitoring capabilities.

Who's at risk

Manufacturing organizations using Advantech WebAccess HMI Designer for control system visualization and engineering should care about this vulnerability. This tool is used to design, configure, and monitor industrial processes, so compromise could affect plant operations and process control reliability.

How it could be exploited

An attacker sends a specially crafted request over the network to the WebAccess HMI Designer application. The application processes the request without proper bounds checking or validation (buffer overflow or memory corruption), allowing the attacker to execute arbitrary code in the context of the HMI Designer process.

Prerequisites

Network access to the WebAccess HMI Designer application port
WebAccess HMI Designer version 2.1.7.32 or earlier running
No user interaction required beyond receiving the malicious network request

remotely exploitableno authentication requiredlow complexityaffects engineering workstations and HMI systemsno patch available

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (1)

ProductAffected VersionsFix Status

WebAccess HMI Designer:≤ 2.1.7.32No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate WebAccess HMI Designer systems and related engineering workstations from the business network; place them behind a firewall with restricted inbound access.

WORKAROUNDBlock all unnecessary inbound network access to HMI Designer systems from the Internet and untrusted networks.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDIf remote access to HMI Designer systems is required, use a VPN with current security updates and restrict access to authorized users only.

HOTFIXMonitor Advantech security notifications for patches; apply updates to WebAccess HMI Designer as soon as they become available and after impact assessment.

CVEs (3)

CVE-2018-8833 CVE-2018-8835 CVE-2018-8837

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6a18b188-9861-4c08-8a70-1f820ce0ee10