[Control System] Advantech WebAccess security update

Number: AV18-085
Date: 17 May 2018

Purpose

Advantech WebAccess Security Update

Assessment

Advantech has released updates to address eight vulnerabilities, including but not limited to, SQL injection, improper authorization AuthorizationAccess privileges granted to a user, program, or process. , and path traversal in the WebAccess products.
Exploitation of these vulnerabilities may allow a remote unauthenticated user to disclose sensitive information from the host, execute arbitrary code, or delete files.

Affected Versions:

• WebAccess versions V8.2_20170817 and prior
• WebAccess versions V8.3.0 and prior
• WebAccess Dashboard versions V.2.0.15 and prior
• WebAccess Scada Node versions prior to 8.3.1
• WebAccess/NMS 2.0.3 and prior

Suggested Action

CCIRC recommends that owners/operators test and deploy the vendor released update.

References:

• http://support.advantech.com/support/DownloadSRDetail_New.aspx?SR_ID=1-MS9MJV&Doc_Source=Download
• https://ics-cert.us-cert.gov/advisories/ICSA-18-135-01