The bugs include an OS command injection in the Advantech EKI-6340 series, a stack-based buffer overflow in Advantech WebAccess, and a buffer overflow in Advantech AdamView.
The bugs include an OS command injection in the Advantech EKI-6340 series, a stack-based buffer overflow in Advantech WebAccess, and a buffer overflow in Advantech AdamView.

Researchers with Core Security have identified vulnerabilities in three products manufactured by Advantech, a developer of industrial PCs, automation controllers and software, and embedded single board computers.

The vulnerabilities include an OS command injection, CVE-2014-8387, in the Advantech EKI-6340 series, a stack-based buffer overflow, CVE-2014-8388, in Advantech WebAccess, and a buffer overflow, CVE-2014-8386, in Advantech AdamView, according to advisories posted on Wednesday.

Core Security checked EKI-6340 V2.05, WebAccess 7.2, and AdamView V4.3, but indicated in the posts that other versions of each product are likely affected.

“These products are commonly used by companies that use SCADA to manage their infrastructure,” Joaquín Rodríguez Varela, senior researcher with Core Security, told SCMagazine.com in a Wednesday email correspondence.

The EKI-6340 series are wireless Mesh access points for outdoor deployment – the OS command injection vulnerability can be exploited by remote attackers to execute arbitrary code and commands “by using a non-privileged user against a vulnerable CGI file,” according to the post.

“For the EKI-6340, if the device is compromised it could allow a remote attacker to modify the devices configuration and redirect the traffic to a malicious DNS in order to steal information and it could also be used as a pivoting point to access other devices or machines inside the network,” Varela said.

Core Security was informed that a fix will not be issued since the vendor has plans to discontinue EKI-6340 early in 2015.

Core Security recommends changing the ‘guest' user password, or deleting the user if it is not used, and checking that the ‘admin' user does not have the default password, as well as editing the ‘fshttpd.conf' and removing the line ‘guest_allow=/cgi/ping.cgi', according to the post.

WebAccess is a browser-based software package for human-machine interfaces (HMI) and SCADA, and the stack-based buffer overflow vulnerability can be exploited by remote attackers to execute arbitrary code “by providing a malicious html file with specific parameters for an ActiveX component,” the post indicates.

“For the WebAccess software, even though [it] is a Client Side vulnerability, the file that needs to be run as an HTML, therefore the attacker could create a website containing the malicious HTML file and send the link to the victim,” Varela said. “When the victim accesses the malicious website the exploit would be automatically triggered.”

Advantech released WebAccess 8.0 and removed the vulnerable ‘webeye.ocx' file, but it is not removed from previous installations and is not deleted when performing a version upgrade, according to the post.

AdamView is HMI software for data acquisition – it has two different fields that are vulnerable to buffer overflow attacks, which can be exploited by attackers to execute arbitrary code “by running files with the .gni extension that is associated with the AdamView software,” according to the post.

Core Security was informed that AdamView is no longer supported and no fix or update will be released. 

“For the WebAccess and AdamView software, the vulnerabilities allow code execution, and the actions an attacker can take depend directly of the permissions the vulnerable applications are being run with,” Varela said.

Advantech did not respond to a SCMagazine.com request for comment.