Advantech WebAccess HMI Designer (Update A)

Plan Patch7.8ICS-CERT ICSA-21-173-01Jun 22, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

WebAccess HMI Designer versions prior to 2.1.11.0 contain multiple memory corruption vulnerabilities (CWE-122, CWE-787, CWE-119, CWE-416) and a cross-site scripting vulnerability (CWE-79). These flaws could result in memory corruption, code execution, hijacking of user session tokens, and unintended browser actions. The vulnerabilities are not remotely exploitable and require local access with user interaction.

What this means

What could happen

An attacker with local access to a designer workstation could exploit these memory corruption and XSS vulnerabilities to execute arbitrary code on the HMI development system, potentially compromising the integrity of HMI projects before deployment to production control systems.

Who's at risk

Manufacturing plants and utilities using Advantech WebAccess HMI Designer for control system visualization development are affected. This impacts engineering workstations and development environments where HMI projects are created before deployment to production PLCs and control systems.

How it could be exploited

An attacker must first gain local access to a workstation running WebAccess HMI Designer and trick a user into opening a malicious file or clicking a malicious link within the application. This could lead to memory corruption, code execution, or session hijacking allowing the attacker to modify HMI projects or steal credentials.

Prerequisites

Local access to workstation running WebAccess HMI Designer
User interaction required (opening a file or clicking a link)
WebAccess HMI Designer version prior to 2.1.11.0

Low complexity exploitationUser interaction requiredAffects development/engineering systemsMemory corruption vulnerabilities

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

WebAccess HMI Designer:< 2.1.11.02.1.11.0

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGEducate users not to open unsolicited files or click untrusted links within WebAccess HMI Designer

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate WebAccess HMI Designer to version 2.1.11.0 or later

Long-term hardening

0/1

HARDENINGRestrict local access to design workstations running WebAccess HMI Designer to trusted personnel only

CVEs (5)

CVE-2021-33000 CVE-2021-33002 CVE-2021-33004 CVE-2021-42706 CVE-2021-42703

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5820e156-1df0-41f1-8f07-7e74206f3397