Advantech WebAccess/NMS

Plan PatchCVSS 9.8ICS-CERT ICSA-20-098-01Apr 7, 2020

Advantech

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Advantech WebAccess/NMS versions prior to 3.0.2 contain multiple critical vulnerabilities including improper file upload validation (CWE-434), SQL injection (CWE-89), directory traversal (CWE-23), missing authentication (CWE-306), XML external entity injection (CWE-611), and command injection (CWE-78). These vulnerabilities can be exploited remotely without authentication to gain remote code execution, upload or delete files, create unauthorized administrator accounts, and cause denial-of-service conditions. No known public exploits are currently in circulation, but the high CVSS score (9.8) and lack of complexity indicate significant risk.

What this means

What could happen

An attacker could gain complete control of the WebAccess/NMS server, allowing them to execute arbitrary commands, create unauthorized admin accounts, manipulate or delete monitoring data, or disrupt the entire network management system that oversees critical infrastructure devices.

Who's at risk

Water utilities, electric utilities, wastewater treatment plants, and other industrial facilities that use Advantech WebAccess/NMS for centralized monitoring and management of PLCs, remote terminal units (RTUs), and other control devices. Any organization relying on this platform for network visibility into critical infrastructure is affected.

How it could be exploited

An attacker on the network (or from the Internet if the server is exposed) sends a specially crafted request to WebAccess/NMS that exploits one of the file upload, SQL injection, or XML parsing vulnerabilities to upload malicious files or execute system commands directly on the server. Once code execution is achieved, the attacker can create administrator accounts or make additional changes to the system.

Prerequisites

Network access to the WebAccess/NMS web server (typically port 80 or 443)
No authentication required for exploitation of the initial vulnerability

Remotely exploitableNo authentication requiredLow complexity exploitationAllows remote code execution and account creationAffects network management system overseeing critical control devicesNo patch available for older versions (end-of-life)

Exploitability

Some exploitation risk — EPSS score 2.0%

Affected products (1)

ProductAffected VersionsFix Status

WebAccess/NMS:< 3.0.23.0.2

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDIf update is not immediately possible, restrict network access to WebAccess/NMS by placing it behind a firewall and limiting access to only authorized engineering workstations or management networks

HARDENINGIsolate the WebAccess/NMS server and the control system network from the business/Internet network to prevent direct external exposure

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Advantech WebAccess/NMS to version 3.0.2 or later

Long-term hardening

0/1

HARDENINGIf remote access to WebAccess/NMS is required, implement a VPN with multi-factor authentication and keep VPN software updated

CVEs (8)

CVE-2020-10621 CVE-2020-10617 CVE-2020-10623 CVE-2020-10619 CVE-2020-10631 CVE-2020-10625 CVE-2020-10629 CVE-2020-10603

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1c50c75f-9513-4eb1-8987-41e67ec69208

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.