Details of VAR-201601-0036

ID

VAR-201601-0036

CVE

CVE-2016-0854

TITLE

Advantech WebAccess File upload vulnerability

Trust: 0.8

sources: IVD: 64d9c0a4-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-00390

DESCRIPTION

Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech WebAccess before 8.1 allows remote attackers to write to files of arbitrary types via unspecified vectors. Advantech WebAccess Contains a vulnerability where an unlimited number of files can be uploaded and written to any type of file. http://cwe.mitre.org/data/definitions/434.htmlIt may be written to any type of file by a third party. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within the FileUpload script allows unauthenticated callers to upload arbitrary code to directories in the server where the code can be automatically executed under the high-privilege context of the IIS AppPool. An attacker can leverage this vulnerability to execute arbitrary code under the context of SYSTEM. Advantech WebAccess HMI/SCADA software provides remote control and management. Advantech WebAccess is prone to following security vulnerabilities: 1. A denial-of-service vulnerability 2. An arbitrary file-upload vulnerability 3. A directory-traversal vulnerability 4. Multiple stack-based buffer-overflow vulnerabilities 5. A heap-based buffer overflow vulnerability 6. Multiple buffer-overflow vulnerabilities 7. Multiple information disclosure vulnerabilities 8. A cross-site scripting vulnerability 9. An SQL-injection vulnerability 10. A remote-code execution vulnerability An attacker can exploit these issues to execute arbitrary code in the context of the application, cause a denial-of-service condition, upload arbitrary files, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database, to use directory-traversal sequences ('../') to retrieve arbitrary files, obtain sensitive information and perform certain unauthorized actions. This may aid in further attacks. Advantech WebAccess 8.0 and prior versions are vulnerable. Advantech WebAccess is a browser-based HMI/SCADA software developed by Advantech

Trust: 4.68

sources: NVD: CVE-2016-0854 // JVNDB: JVNDB-2016-001284 // ZDI: ZDI-16-127 // ZDI: ZDI-16-129 // ZDI: ZDI-16-128 // CNVD: CNVD-2016-00390 // BID: 80745 // IVD: 64d9c0a4-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-88364 // VULMON: CVE-2016-0854

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 64d9c0a4-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2016-00390

AFFECTED PRODUCTS

vendor:	advantech	model:	webaccess	scope:	-	version:	-	Trust: 2.1
vendor:	advantech	model:	webaccess	scope:	lt	version:	8.1	Trust: 1.4
vendor:	advantech	model:	webaccess	scope:	lte	version:	8.0	Trust: 1.0
vendor:	advantech	model:	webaccess	scope:	eq	version:	8.0	Trust: 0.6
vendor:	advantech	model:	webaccess	scope:	eq	version:	8	Trust: 0.3
vendor:	advantech	model:	webaccess	scope:	eq	version:	7.2	Trust: 0.3
vendor:	advantech	model:	webaccess	scope:	ne	version:	8.1	Trust: 0.3
vendor:	webaccess	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 64d9c0a4-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-16-127 // ZDI: ZDI-16-129 // ZDI: ZDI-16-128 // CNVD: CNVD-2016-00390 // BID: 80745 // JVNDB: JVNDB-2016-001284 // CNNVD: CNNVD-201601-327 // NVD: CVE-2016-0854

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2016-0854
value:	HIGH
Trust: 2.1
nvd@nist.gov:	CVE-2016-0854
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-0854
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2016-00390
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201601-327
value:	CRITICAL
Trust: 0.6
IVD:	64d9c0a4-2351-11e6-abef-000c29c66e3d
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-88364
value:	HIGH
Trust: 0.1
VULMON:	CVE-2016-0854
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-0854
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 4.0
CNVD:	CNVD-2016-00390
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	64d9c0a4-2351-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-88364
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-0854
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.0

sources: IVD: 64d9c0a4-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-16-127 // ZDI: ZDI-16-129 // ZDI: ZDI-16-128 // CNVD: CNVD-2016-00390 // VULHUB: VHN-88364 // VULMON: CVE-2016-0854 // JVNDB: JVNDB-2016-001284 // CNNVD: CNNVD-201601-327 // NVD: CVE-2016-0854

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2016-001284 // NVD: CVE-2016-0854

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201601-327

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201601-327

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001284

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-88364 // VULMON: CVE-2016-0854

PATCH

title:	Advantech has issued an update to correct this vulnerability.	url:	https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01	Trust: 2.1
title:	Advantech WebAccess	url:	http://www.advantech.com/industrial-automation/webaccess	Trust: 0.8
title:	Patch for Advantech WebAccess File Upload Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/70314	Trust: 0.6
title:	Advantech WebAccess Fixes for any file upload vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59645	Trust: 0.6

sources: ZDI: ZDI-16-127 // ZDI: ZDI-16-129 // ZDI: ZDI-16-128 // CNVD: CNVD-2016-00390 // JVNDB: JVNDB-2016-001284 // CNNVD: CNNVD-201601-327

EXTERNAL IDS

db:	NVD	id:	CVE-2016-0854	Trust: 5.8
db:	ICS CERT	id:	ICSA-16-014-01	Trust: 3.5
db:	ZDI	id:	ZDI-16-127	Trust: 1.9
db:	ZDI	id:	ZDI-16-129	Trust: 1.9
db:	ZDI	id:	ZDI-16-128	Trust: 1.9
db:	EXPLOIT-DB	id:	39735	Trust: 1.2
db:	CNNVD	id:	CNNVD-201601-327	Trust: 0.9
db:	CNVD	id:	CNVD-2016-00390	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-001284	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-3127	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-3128	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-3126	Trust: 0.7
db:	BID	id:	80745	Trust: 0.3
db:	IVD	id:	64D9C0A4-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	PACKETSTORM	id:	136769	Trust: 0.1
db:	VULHUB	id:	VHN-88364	Trust: 0.1
db:	VULMON	id:	CVE-2016-0854	Trust: 0.1

sources: IVD: 64d9c0a4-2351-11e6-abef-000c29c66e3d // ZDI: ZDI-16-127 // ZDI: ZDI-16-129 // ZDI: ZDI-16-128 // CNVD: CNVD-2016-00390 // VULHUB: VHN-88364 // VULMON: CVE-2016-0854 // BID: 80745 // JVNDB: JVNDB-2016-001284 // CNNVD: CNNVD-201601-327 // NVD: CVE-2016-0854

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-014-01	Trust: 5.7
url:	https://www.exploit-db.com/exploits/39735/	Trust: 1.3
url:	http://www.rapid7.com/db/modules/exploit/windows/scada/advantech_webaccess_dashboard_file_upload	Trust: 1.3
url:	http://www.zerodayinitiative.com/advisories/zdi-16-127	Trust: 1.2
url:	http://www.zerodayinitiative.com/advisories/zdi-16-128	Trust: 1.2
url:	http://www.zerodayinitiative.com/advisories/zdi-16-129	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0854	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-0854	Trust: 0.8
url:	http://webaccess.advantech.com	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: ZDI: ZDI-16-127 // ZDI: ZDI-16-129 // ZDI: ZDI-16-128 // CNVD: CNVD-2016-00390 // VULHUB: VHN-88364 // VULMON: CVE-2016-0854 // BID: 80745 // JVNDB: JVNDB-2016-001284 // CNNVD: CNNVD-201601-327 // NVD: CVE-2016-0854

CREDITS

rgod

Trust: 2.1

sources: ZDI: ZDI-16-127 // ZDI: ZDI-16-129 // ZDI: ZDI-16-128

SOURCES

db:	IVD	id:	64d9c0a4-2351-11e6-abef-000c29c66e3d
db:	ZDI	id:	ZDI-16-127
db:	ZDI	id:	ZDI-16-129
db:	ZDI	id:	ZDI-16-128
db:	CNVD	id:	CNVD-2016-00390
db:	VULHUB	id:	VHN-88364
db:	VULMON	id:	CVE-2016-0854
db:	BID	id:	80745
db:	JVNDB	id:	JVNDB-2016-001284
db:	CNNVD	id:	CNNVD-201601-327
db:	NVD	id:	CVE-2016-0854

LAST UPDATE DATE

2024-08-14T13:33:09.219000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-16-127	date:	2016-02-05T00:00:00
db:	ZDI	id:	ZDI-16-129	date:	2016-02-05T00:00:00
db:	ZDI	id:	ZDI-16-128	date:	2016-02-05T00:00:00
db:	CNVD	id:	CNVD-2016-00390	date:	2016-01-21T00:00:00
db:	VULHUB	id:	VHN-88364	date:	2016-12-03T00:00:00
db:	VULMON	id:	CVE-2016-0854	date:	2016-12-03T00:00:00
db:	BID	id:	80745	date:	2016-01-14T00:00:00
db:	JVNDB	id:	JVNDB-2016-001284	date:	2016-01-26T00:00:00
db:	CNNVD	id:	CNNVD-201601-327	date:	2016-01-18T00:00:00
db:	NVD	id:	CVE-2016-0854	date:	2016-12-03T03:18:15.633

SOURCES RELEASE DATE

db:	IVD	id:	64d9c0a4-2351-11e6-abef-000c29c66e3d	date:	2016-01-21T00:00:00
db:	ZDI	id:	ZDI-16-127	date:	2016-02-05T00:00:00
db:	ZDI	id:	ZDI-16-129	date:	2016-02-05T00:00:00
db:	ZDI	id:	ZDI-16-128	date:	2016-02-05T00:00:00
db:	CNVD	id:	CNVD-2016-00390	date:	2016-01-21T00:00:00
db:	VULHUB	id:	VHN-88364	date:	2016-01-15T00:00:00
db:	VULMON	id:	CVE-2016-0854	date:	2016-01-15T00:00:00
db:	BID	id:	80745	date:	2016-01-14T00:00:00
db:	JVNDB	id:	JVNDB-2016-001284	date:	2016-01-26T00:00:00
db:	CNNVD	id:	CNNVD-201601-327	date:	2016-01-18T00:00:00
db:	NVD	id:	CVE-2016-0854	date:	2016-01-15T03:59:16.407