ID

VAR-201801-0589


CVE

CVE-2017-16753


TITLE

Advantech WebAccess Input validation vulnerability

Trust: 2.2

sources: IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // CNVD: CNVD-2018-00672 // JVNDB: JVNDB-2017-011766 // CNNVD: CNNVD-201801-240

DESCRIPTION

An Improper Input Validation issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows some inputs that may cause the program to crash. Advantech WebAccess Contains an input validation vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. The vulnerability is caused by a failure to properly validate WebAccess input. Advantech WebAccess is prone to the following security vulnerabilities: 1. Multiple denial-of-service vulnerabilities 2. Multiple stack-based buffer-overflow vulnerabilities 3. A directory-traversal vulnerability 4. An SQL-injection vulnerability 5. Multiple denial-of-service vulnerabilities An attacker can exploit these issues to execute arbitrary code in the context of the application, or modify data, or exploit latent vulnerabilities in the underlying database,perform certain unauthorized actions, gain unauthorized access and obtain sensitive information

Trust: 2.7

sources: NVD: CVE-2017-16753 // JVNDB: JVNDB-2017-011766 // CNVD: CNVD-2018-00672 // BID: 102424 // IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // VULHUB: VHN-107707

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // CNVD: CNVD-2018-00672

AFFECTED PRODUCTS

vendor:advantechmodel:webaccessscope:ltversion:8.3

Trust: 2.4

vendor:advantechmodel:webaccessscope:eqversion:8.1

Trust: 0.9

vendor:advantechmodel:webaccessscope:eqversion:7.2

Trust: 0.9

vendor:advantechmodel:webaccessscope:eqversion:8.0

Trust: 0.6

vendor:advantechmodel:webaccess 8.2 20170330scope: - version: -

Trust: 0.3

vendor:advantechmodel:webaccessscope:eqversion:8.2

Trust: 0.3

vendor:advantechmodel:webaccess 8.1 20160519scope: - version: -

Trust: 0.3

vendor:advantechmodel:webaccess 8.0 20150816scope: - version: -

Trust: 0.3

vendor:advantechmodel:webaccessscope:eqversion:8

Trust: 0.3

vendor:advantechmodel:webaccessscope:neversion:8.3

Trust: 0.3

vendor:webaccessmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // CNVD: CNVD-2018-00672 // BID: 102424 // JVNDB: JVNDB-2017-011766 // CNNVD: CNNVD-201801-240 // NVD: CVE-2017-16753

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-16753
value: HIGH

Trust: 1.0

NVD: CVE-2017-16753
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-00672
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201801-240
value: HIGH

Trust: 0.6

IVD: e2e0e090-39ab-11e9-b212-000c29342cb1
value: HIGH

Trust: 0.2

VULHUB: VHN-107707
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-16753
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-00672
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2e0e090-39ab-11e9-b212-000c29342cb1
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-107707
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-16753
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // CNVD: CNVD-2018-00672 // VULHUB: VHN-107707 // JVNDB: JVNDB-2017-011766 // CNNVD: CNNVD-201801-240 // NVD: CVE-2017-16753

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-107707 // JVNDB: JVNDB-2017-011766 // NVD: CVE-2017-16753

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-240

TYPE

Input validation error

Trust: 0.8

sources: IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // CNNVD: CNNVD-201801-240

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-011766

PATCH

title:Advantech WebAccessurl:http://www.advantech.com/industrial-automation/webaccess

Trust: 0.8

title:Advantech WebAccess enters a patch for validation vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/113127

Trust: 0.6

title:Advantech WebAccess Enter the fix for the verification vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77551

Trust: 0.6

sources: CNVD: CNVD-2018-00672 // JVNDB: JVNDB-2017-011766 // CNNVD: CNNVD-201801-240

EXTERNAL IDS

db:NVDid:CVE-2017-16753

Trust: 3.6

db:BIDid:102424

Trust: 3.4

db:ICS CERTid:ICSA-18-004-02

Trust: 2.6

db:CNNVDid:CNNVD-201801-240

Trust: 0.9

db:CNVDid:CNVD-2018-00672

Trust: 0.8

db:ICS CERTid:ICSA-18-004-02A

Trust: 0.8

db:JVNDBid:JVNDB-2017-011766

Trust: 0.8

db:IVDid:E2E0E090-39AB-11E9-B212-000C29342CB1

Trust: 0.2

db:VULHUBid:VHN-107707

Trust: 0.1

sources: IVD: e2e0e090-39ab-11e9-b212-000c29342cb1 // CNVD: CNVD-2018-00672 // VULHUB: VHN-107707 // BID: 102424 // JVNDB: JVNDB-2017-011766 // CNNVD: CNNVD-201801-240 // NVD: CVE-2017-16753

REFERENCES

url:https://ics-cert.us-cert.gov/advisories/icsa-18-004-02

Trust: 2.6

url:http://www.securityfocus.com/bid/102424

Trust: 2.5

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-16753

Trust: 0.8

url:https://ics-cert.us-cert.gov/advisories/icsa-18-004-02a

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2017-16753

Trust: 0.8

url:http://webaccess.advantech.com

Trust: 0.3

sources: CNVD: CNVD-2018-00672 // VULHUB: VHN-107707 // BID: 102424 // JVNDB: JVNDB-2017-011766 // CNNVD: CNNVD-201801-240 // NVD: CVE-2017-16753

CREDITS

Steven Seeley of Offensive Security, Zhou Yu and Andrea Micalizzi working with Trend Micro??s Zero Day Initiative, and Michael Deplante.

Trust: 0.3

sources: BID: 102424

SOURCES

db:IVDid:e2e0e090-39ab-11e9-b212-000c29342cb1
db:CNVDid:CNVD-2018-00672
db:VULHUBid:VHN-107707
db:BIDid:102424
db:JVNDBid:JVNDB-2017-011766
db:CNNVDid:CNNVD-201801-240
db:NVDid:CVE-2017-16753

LAST UPDATE DATE

2024-08-14T13:46:14.466000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2018-00672date:2018-01-10T00:00:00
db:VULHUBid:VHN-107707date:2019-10-09T00:00:00
db:BIDid:102424date:2018-01-04T00:00:00
db:JVNDBid:JVNDB-2017-011766date:2018-04-03T00:00:00
db:CNNVDid:CNNVD-201801-240date:2019-10-17T00:00:00
db:NVDid:CVE-2017-16753date:2019-10-09T23:25:17.580

SOURCES RELEASE DATE

db:IVDid:e2e0e090-39ab-11e9-b212-000c29342cb1date:2018-01-10T00:00:00
db:CNVDid:CNVD-2018-00672date:2018-01-10T00:00:00
db:VULHUBid:VHN-107707date:2018-01-05T00:00:00
db:BIDid:102424date:2018-01-04T00:00:00
db:JVNDBid:JVNDB-2017-011766date:2018-01-25T00:00:00
db:CNNVDid:CNNVD-201801-240date:2018-01-08T00:00:00
db:NVDid:CVE-2017-16753date:2018-01-05T08:29:00.427