Imaginary patch? SCADA software company reportedly never actually fixed RCE bug despite issuing update

A vulnerability that was supposedly patched last January in the Advantech WebAccess SCADA software solution for IoT environments was never actually fixed, according to a new report, and as a result the product remains susceptible to remote code execution from unauthenticated attackers.

What's worse, a proof-of-concept exploit for this vulnerability has been publicly available since Mar. 12, warned cybersecurity company Tenable in a blog post yesterday. This means users who thought their ICS networks were protected all this time theoretically could actually have been compromised.

The vulnerability, CVE-2017-16720, is a path traversal flaw that was originally disclosed in a Jan. 4 ICS-CERT security advisory, which stated that Advantech addressed this and several other problems with the release of WebAccess Version 8.3. But Tenable reports that its researcher Chris Lyne discovered this past July that the fix never really happened. Since then, versions 8.3.1 and 8.3.2 have been released, but still with no patch, Tenable notes in its report.

Following the surprise discovery, Lyne promptly contacted both Advantech and the Department of Homeland Security's ICS-CERT team to coordinate a response. According to Tenable, Advantec told ISC-CERT that it will release a fix in September. Although a specific date has not been provided, Tenable nonetheless held firm to its 45-day disclosure deadline of Sept. 10 and published the news yesterday.

Asked for further clarification, Tenable declined to provide a statement. SC Media also reached out to Advantech and DHS' ICS-CERT/National Cybersecurity & Communications Integration Center (NCCIC) for comment.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.