Sign-up

ID

VAR-201801-0589


CVE

CVE-2017-16753


TITLE

Advantech WebAccess Input validation vulnerability

Trust: 2.2

sources: IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // CNVD: CNVD-2018-00672 // JVNDB: JVNDB-2017-011766 // CNNVD: CNNVD-201801-240

DESCRIPTION

An Improper Input Validation issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows some inputs that may cause the program to crash. Advantech WebAccess Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. The vulnerability is caused by a failure to properly validate WebAccess input. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple denial-of-service vulnerabilities 2. Multiple stack-based buffer-overflow vulnerabilities 3. A directory-traversal vulnerability 4. An SQL-injection vulnerability 5. Multiple denial-of-service vulnerabilities An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database,perform certain unauthorized actions, gain unauthorized access and obtain sensitive information

Trust: 2.7

sources: NVD: CVE-2017-16753 // JVNDB: JVNDB-2017-011766 // CNVD: CNVD-2018-00672 // BID: 102424 // IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // VULHUB: VHN-107707

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // CNVD: CNVD-2018-00672

AFFECTED PRODUCTS

vendor:advantechmodel:webaccessscope:ltversion:8.3

Trust: 2.4

vendor:advantechmodel:webaccessscope:eqversion:8.1

Trust: 0.9

vendor:advantechmodel:webaccessscope:eqversion:7.2

Trust: 0.9

vendor:advantechmodel:webaccessscope:eqversion:8.0

Trust: 0.6

vendor:advantechmodel:webaccess 8.2 20170330scope: - version: -

Trust: 0.3

vendor:advantechmodel:webaccessscope:eqversion:8.2

Trust: 0.3

vendor:advantechmodel:webaccess 8.1 20160519scope: - version: -

Trust: 0.3

vendor:advantechmodel:webaccess 8.0 20150816scope: - version: -

Trust: 0.3

vendor:advantechmodel:webaccessscope:eqversion:8

Trust: 0.3

vendor:advantechmodel:webaccessscope:neversion:8.3

Trust: 0.3

vendor:webaccessmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // CNVD: CNVD-2018-00672 // BID: 102424 // JVNDB: JVNDB-2017-011766 // CNNVD: CNNVD-201801-240 // NVD: CVE-2017-16753

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-16753
value: HIGH

Trust: 1.0

NVD: CVE-2017-16753
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-00672
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201801-240
value: HIGH

Trust: 0.6

IVD: e2e0e090-39ab-11e9-b212-000c29342cb1
value: HIGH

Trust: 0.2

VULHUB: VHN-107707
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-16753
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-00672
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2e0e090-39ab-11e9-b212-000c29342cb1
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-107707
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-16753
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // CNVD: CNVD-2018-00672 // VULHUB: VHN-107707 // JVNDB: JVNDB-2017-011766 // CNNVD: CNNVD-201801-240 // NVD: CVE-2017-16753

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-107707 // JVNDB: JVNDB-2017-011766 // NVD: CVE-2017-16753

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-240

TYPE

Input validation error

Trust: 0.8

sources: IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // CNNVD: CNNVD-201801-240

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-011766

PATCH
title:Advantech WebAccessurl:http://www.advantech.com/industrial-automation/webaccess
Trust: 0.8
title:Advantech WebAccess enters a patch for validation vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/113127
Trust: 0.6
title:Advantech WebAccess Enter the fix for the verification vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77551
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-00672 // 
            
            
            
            JVNDB: JVNDB-2017-011766 // 
            
            
            
            CNNVD: CNNVD-201801-240

EXTERNAL IDS
db:NVDid:CVE-2017-16753
Trust: 3.6
db:BIDid:102424
Trust: 3.4
db:ICS CERTid:ICSA-18-004-02
Trust: 2.6
db:CNNVDid:CNNVD-201801-240
Trust: 0.9
db:CNVDid:CNVD-2018-00672
Trust: 0.8
db:ICS CERTid:ICSA-18-004-02A
Trust: 0.8
db:JVNDBid:JVNDB-2017-011766
Trust: 0.8
db:IVDid:E2E0E090-39AB-11E9-B212-000C29342CB1
Trust: 0.2
db:VULHUBid:VHN-107707
Trust: 0.1
sources:
            
            
            IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-00672 // 
            
            
            
            VULHUB: VHN-107707 // 
            
            
            
            BID: 102424 // 
            
            
            
            JVNDB: JVNDB-2017-011766 // 
            
            
            
            CNNVD: CNNVD-201801-240 // 
            
            
            
            NVD: CVE-2017-16753

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-004-02
Trust: 2.6
url:http://www.securityfocus.com/bid/102424
Trust: 2.5
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16753
Trust: 0.8
url:https://ics-cert.us-cert.gov/advisories/icsa-18-004-02a
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-16753
Trust: 0.8
url:http://webaccess.advantech.com
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-00672 // 
            
            
            
            VULHUB: VHN-107707 // 
            
            
            
            BID: 102424 // 
            
            
            
            JVNDB: JVNDB-2017-011766 // 
            
            
            
            CNNVD: CNNVD-201801-240 // 
            
            
            
            NVD: CVE-2017-16753

CREDITS
Steven Seeley of Offensive Security, Zhou Yu and Andrea Micalizzi working with Trend Micro??s Zero Day Initiative, and Michael Deplante.
Trust: 0.3
sources:
            
            
            BID: 102424

SOURCES
db:IVDid:e2e0e090-39ab-11e9-b212-000c29342cb1
db:CNVDid:CNVD-2018-00672
db:VULHUBid:VHN-107707
db:BIDid:102424
db:JVNDBid:JVNDB-2017-011766
db:CNNVDid:CNNVD-201801-240
db:NVDid:CVE-2017-16753

LAST UPDATE DATE
2024-08-14T13:46:14.466000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-00672date:2018-01-10T00:00:00
db:VULHUBid:VHN-107707date:2019-10-09T00:00:00
db:BIDid:102424date:2018-01-04T00:00:00
db:JVNDBid:JVNDB-2017-011766date:2018-04-03T00:00:00
db:CNNVDid:CNNVD-201801-240date:2019-10-17T00:00:00
db:NVDid:CVE-2017-16753date:2019-10-09T23:25:17.580

SOURCES RELEASE DATE
db:IVDid:e2e0e090-39ab-11e9-b212-000c29342cb1date:2018-01-10T00:00:00
db:CNVDid:CNVD-2018-00672date:2018-01-10T00:00:00
db:VULHUBid:VHN-107707date:2018-01-05T00:00:00
db:BIDid:102424date:2018-01-04T00:00:00
db:JVNDBid:JVNDB-2017-011766date:2018-01-25T00:00:00
db:CNNVDid:CNNVD-201801-240date:2018-01-08T00:00:00
db:NVDid:CVE-2017-16753date:2018-01-05T08:29:00.427