OTPulse
FeedAboutContact

Advantech DiagAnywhere Server

Act Now9.8ICS-CERT ICSA-19-346-01Dec 12, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

DiagAnywhere Server versions 3.07.11 and earlier contain a stack buffer overflow vulnerability (CWE-121) that allows remote code execution without authentication. Successful exploitation gives an attacker arbitrary code execution on the server, potentially allowing control of connected industrial devices. Advantech has released version 3.07.14 to address this issue.

What this means
What could happen
An attacker could run arbitrary code on the DiagAnywhere Server, potentially gaining control of connected industrial devices, altering process parameters, or disrupting diagnostic and remote monitoring capabilities across your control systems.
Who's at risk
Utilities and manufacturers using Advantech DiagAnywhere Server for remote diagnostics, monitoring, or management of PLCs, RTUs, I/O modules, and other Advantech control devices. This includes water utilities, electric utilities, and plant operators relying on remote troubleshooting and asset management capabilities.
How it could be exploited
An attacker with network access to the DiagAnywhere Server can send a specially crafted request that exploits a stack buffer overflow (CWE-121) to execute arbitrary code. No authentication or user interaction is required. Once compromised, the attacker gains control of the server and any devices connected through it.
Prerequisites
  • Network access to DiagAnywhere Server (default port 8080 or configured port)
  • DiagAnywhere Server version 3.07.11 or earlier running and exposed to the network
  • No authentication required for exploitation
Remotely exploitableNo authentication requiredLow attack complexityCritical CVSS score (9.8)Stack buffer overflow allows arbitrary code executionAffects remote diagnostic and monitoring infrastructure
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (1)
ProductAffected VersionsFix Status
DiagAnywhere Server:≤ 3.07.113.07.14
Remediation & Mitigation
0/5
Do now
0/5
HOTFIXUpgrade DiagAnywhere Server to version 3.07.14 or later immediately
WORKAROUNDRestrict network access to DiagAnywhere Server—allow only authorized engineering workstations and block all external/Internet access with firewall rules
HARDENINGPlace DiagAnywhere Server and connected control system devices on a network segment isolated from the business network using a firewall or network segmentation
HARDENINGIf remote access to DiagAnywhere Server is required, route all access through a VPN and restrict VPN access to named users with a documented business need
HARDENINGPerform network discovery to identify any instances of DiagAnywhere Server running on your network and document their current versions and network exposure
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/05ec532f-11b2-4a21-b420-f3d25a253e3e