Advantech R-SeeNet

Act Now9.8ICS-CERT ICSA-22-291-01Oct 18, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

R-SeeNet versions 2.4.19 and earlier contain path traversal (CWE-22) and buffer overflow (CWE-121) vulnerabilities that enable remote file deletion and remote code execution without authentication. These vulnerabilities are remotely exploitable over the network with low complexity attack requirements.

What this means

What could happen

An attacker could remotely delete critical files or execute arbitrary code on R-SeeNet, compromising the integrity of network monitoring and potentially disrupting visibility into your control system operations.

Who's at risk

This affects organizations using Advantech R-SeeNet for industrial network monitoring in water authorities, electric utilities, and manufacturing facilities. R-SeeNet is commonly used for SCADA and ICS network visibility and remote management of control system devices.

How it could be exploited

An attacker on the network sends a specially crafted request to the R-SeeNet service exploiting the path traversal or buffer overflow flaw. No credentials are needed. Successful exploitation allows the attacker to delete files from the system or run arbitrary commands with the privileges of the R-SeeNet process.

Prerequisites

Network access to R-SeeNet service port
No credentials or authentication required
Affected version running (2.4.19 or earlier)

remotely exploitableno authentication requiredlow complexityfile deletion capabilityremote code executionhigh CVSS (9.8)

Exploitability

Moderate exploit probability (EPSS 1.3%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

R-SeeNet -≤ 2.4.192.4.21

R-SeeNet -≤ 2.4.17 (CVE-2022-3386 and CVE-2022-3385 only)2.4.21

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to R-SeeNet using firewall rules; allow only from trusted engineering and administrative workstations

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate R-SeeNet to version 2.4.21 or later

HARDENINGPlace R-SeeNet behind a firewall and isolate from business networks

HARDENINGIf remote access to R-SeeNet is required, implement a VPN with current security patches and multi-factor authentication

CVEs (3)

CVE-2022-3387 CVE-2022-3386 CVE-2022-3385

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/782c989e-9fa4-4e15-91ea-dacf9af970f2