Sign-up

ID

VAR-201407-0234


CVE

CVE-2014-2365


TITLE

Advantech WebAccess Remote code execution vulnerability

Trust: 1.7

sources: IVD: 7d71e152-463f-11e9-af14-000c29342cb1 // IVD: e482e66e-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-14-251 // CNVD: CNVD-2014-04462

DESCRIPTION

Unspecified vulnerability in Advantech WebAccess before 7.2 allows remote authenticated users to create or delete arbitrary files via unknown vectors. Authentication is not required to exploit this vulnerability. The specific flaw exists within the gmicons.asp functionality. An attacker may leverage this to run arbitrary code in the context of the WebAccess service. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. Advantech WebAccess is prone to a remote code-execution vulnerability. Failed exploit attempts will likely cause a denial-of-service condition. Advantech WebAccess 7.1 and prior are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech. There are security vulnerabilities in Advantech WebAccess 7.1 and earlier versions

Trust: 3.51

sources: NVD: CVE-2014-2365 // JVNDB: JVNDB-2014-003488 // ZDI: ZDI-14-251 // CNVD: CNVD-2014-04462 // BID: 68718 // IVD: 7d71e152-463f-11e9-af14-000c29342cb1 // IVD: e482e66e-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-70304

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 1.0

sources: IVD: 7d71e152-463f-11e9-af14-000c29342cb1 // IVD: e482e66e-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2014-04462

AFFECTED PRODUCTS

vendor:advantechmodel:webaccessscope:eqversion:7.0

Trust: 1.6

vendor:advantechmodel:webaccessscope:eqversion:5.0

Trust: 1.6

vendor:advantechmodel:webaccessscope:eqversion:6.0

Trust: 1.6

vendor:advantechmodel:webaccessscope:ltversion:7.2

Trust: 1.4

vendor:advantechmodel:webaccessscope:lteversion:7.1

Trust: 1.0

vendor:advantechmodel:webaccessscope: - version: -

Trust: 0.7

vendor:advantechmodel:webaccessscope:eqversion:7.1

Trust: 0.6

vendor:advantech webaccessmodel: - scope:eqversion:5.0

Trust: 0.4

vendor:advantech webaccessmodel: - scope:eqversion:6.0

Trust: 0.4

vendor:advantech webaccessmodel: - scope:eqversion:7.0

Trust: 0.4

vendor:advantech webaccessmodel: - scope:eqversion:*

Trust: 0.4

sources: IVD: 7d71e152-463f-11e9-af14-000c29342cb1 // IVD: e482e66e-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-14-251 // CNVD: CNVD-2014-04462 // JVNDB: JVNDB-2014-003488 // CNNVD: CNNVD-201407-477 // NVD: CVE-2014-2365

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2365
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-2365
value: MEDIUM

Trust: 0.8

ZDI: CVE-2014-2365
value: MEDIUM

Trust: 0.7

CNVD: CNVD-2014-04462
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201407-477
value: MEDIUM

Trust: 0.6

IVD: 7d71e152-463f-11e9-af14-000c29342cb1
value: MEDIUM

Trust: 0.2

IVD: e482e66e-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

VULHUB: VHN-70304
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-2365
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2014-2365
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

CNVD: CNVD-2014-04462
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 7d71e152-463f-11e9-af14-000c29342cb1
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

IVD: e482e66e-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-70304
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:N/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 7d71e152-463f-11e9-af14-000c29342cb1 // IVD: e482e66e-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-14-251 // CNVD: CNVD-2014-04462 // VULHUB: VHN-70304 // JVNDB: JVNDB-2014-003488 // CNNVD: CNNVD-201407-477 // NVD: CVE-2014-2365

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2014-2365

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201407-477

TYPE

Code injection

Trust: 0.4

sources: IVD: 7d71e152-463f-11e9-af14-000c29342cb1 // IVD: e482e66e-2351-11e6-abef-000c29c66e3d

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-003488

PATCH
title:Downloads ::: WebAccess Softwareurl:http://webaccess.advantech.com/downloads.php?item=software
Trust: 0.8
title:Advantech WebAccessurl:http://webaccess.advantech.com/
Trust: 0.8
title:Advantech has issued an update to correct this vulnerability.url:http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02
Trust: 0.7
title:Patch for Advantech WebAccess Remote Code Execution Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/47712
Trust: 0.6
title:AdvantechWebAccessCHNNode_20140606_3.4.3url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=50905
Trust: 0.6
sources:
            
            
            ZDI: ZDI-14-251 // 
            
            
            
            CNVD: CNVD-2014-04462 // 
            
            
            
            JVNDB: JVNDB-2014-003488 // 
            
            
            
            CNNVD: CNNVD-201407-477

EXTERNAL IDS
db:NVDid:CVE-2014-2365
Trust: 4.5
db:ICS CERTid:ICSA-14-198-02
Trust: 2.5
db:CNNVDid:CNNVD-201407-477
Trust: 1.1
db:CNVDid:CNVD-2014-04462
Trust: 1.0
db:BIDid:68718
Trust: 1.0
db:JVNDBid:JVNDB-2014-003488
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-2086
Trust: 0.7
db:ZDIid:ZDI-14-251
Trust: 0.7
db:IVDid:7D71E152-463F-11E9-AF14-000C29342CB1
Trust: 0.2
db:IVDid:E482E66E-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:VULHUBid:VHN-70304
Trust: 0.1
sources:
            
            
            IVD: 7d71e152-463f-11e9-af14-000c29342cb1 // 
            
            
            
            IVD: e482e66e-2351-11e6-abef-000c29c66e3d // 
            
            
            
            ZDI: ZDI-14-251 // 
            
            
            
            CNVD: CNVD-2014-04462 // 
            
            
            
            VULHUB: VHN-70304 // 
            
            
            
            BID: 68718 // 
            
            
            
            JVNDB: JVNDB-2014-003488 // 
            
            
            
            CNNVD: CNNVD-201407-477 // 
            
            
            
            NVD: CVE-2014-2365

REFERENCES
url:http://ics-cert.us-cert.gov/advisories/icsa-14-198-02
Trust: 3.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2365
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2365
Trust: 0.8
url:http://www.securityfocus.com/bid/68718
Trust: 0.6
sources:
            
            
            ZDI: ZDI-14-251 // 
            
            
            
            CNVD: CNVD-2014-04462 // 
            
            
            
            VULHUB: VHN-70304 // 
            
            
            
            JVNDB: JVNDB-2014-003488 // 
            
            
            
            CNNVD: CNNVD-201407-477 // 
            
            
            
            NVD: CVE-2014-2365

CREDITS
John Leitch
Trust: 0.7
sources:
            
            
            ZDI: ZDI-14-251

SOURCES
db:IVDid:7d71e152-463f-11e9-af14-000c29342cb1
db:IVDid:e482e66e-2351-11e6-abef-000c29c66e3d
db:ZDIid:ZDI-14-251
db:CNVDid:CNVD-2014-04462
db:VULHUBid:VHN-70304
db:BIDid:68718
db:JVNDBid:JVNDB-2014-003488
db:CNNVDid:CNNVD-201407-477
db:NVDid:CVE-2014-2365

LAST UPDATE DATE
2024-08-14T14:06:29.281000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-14-251date:2014-07-18T00:00:00
db:CNVDid:CNVD-2014-04462date:2014-07-22T00:00:00
db:VULHUBid:VHN-70304date:2014-07-23T00:00:00
db:BIDid:68718date:2014-07-22T00:07:00
db:JVNDBid:JVNDB-2014-003488date:2014-07-22T00:00:00
db:CNNVDid:CNNVD-201407-477date:2014-07-24T00:00:00
db:NVDid:CVE-2014-2365date:2014-07-23T17:39:18.790

SOURCES RELEASE DATE
db:IVDid:7d71e152-463f-11e9-af14-000c29342cb1date:2014-07-22T00:00:00
db:IVDid:e482e66e-2351-11e6-abef-000c29c66e3ddate:2014-07-22T00:00:00
db:ZDIid:ZDI-14-251date:2014-07-18T00:00:00
db:CNVDid:CNVD-2014-04462date:2014-07-22T00:00:00
db:VULHUBid:VHN-70304date:2014-07-19T00:00:00
db:BIDid:68718date:2014-07-18T00:00:00
db:JVNDBid:JVNDB-2014-003488date:2014-07-22T00:00:00
db:CNNVDid:CNNVD-201407-477date:2014-07-24T00:00:00
db:NVDid:CVE-2014-2365date:2014-07-19T05:09:27.627