Sign-up

ID

VAR-201805-1143


CVE

CVE-2018-7499


TITLE

Advantech WebAccess Node bwtagblk Stack-based Buffer Overflow Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-18-516

DESCRIPTION

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, several stack-based buffer overflow vulnerabilities have been identified, which may allow an attacker to execute arbitrary code. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability.The specific flaw exists within notify2.exe, which is accessed through the 0x2711 IOCTL in the webvrpcs process. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code under the context of Administrator. Advantech WebAccess and others are products of Advantech. Advantech WebAccess is a browser-based HMI/SCADA software. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment. WebAccess Dashboard is one of the dashboard components; WebAccess Scada Node is one of the monitoring node components. WebAccess/NMS is a suite of web browsers for the Network Management System (NMS). A stack buffer overflow vulnerability exists in several Advantech products

Trust: 11.07

sources: NVD: CVE-2018-7499 // ZDI: ZDI-18-516 // ZDI: ZDI-18-490 // ZDI: ZDI-18-517 // ZDI: ZDI-18-510 // ZDI: ZDI-18-508 // ZDI: ZDI-18-498 // ZDI: ZDI-18-520 // ZDI: ZDI-18-506 // ZDI: ZDI-18-518 // ZDI: ZDI-18-497 // ZDI: ZDI-18-507 // ZDI: ZDI-18-509 // ZDI: ZDI-18-525 // ZDI: ZDI-18-523 // ZDI: ZDI-18-519 // CNVD: CNVD-2018-10713 // IVD: e2f10d30-39ab-11e9-ae57-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2f10d30-39ab-11e9-ae57-000c29342cb1 // CNVD: CNVD-2018-10713

AFFECTED PRODUCTS

vendor:advantechmodel:webaccess nodescope: - version: -

Trust: 10.5

vendor:advantechmodel:webaccess scadascope:ltversion:8.3.1

Trust: 1.0

vendor:advantechmodel:webaccessscope:lteversion:8.2_20170817

Trust: 1.0

vendor:advantechmodel:webaccess dashboardscope:lteversion:2.0.15

Trust: 1.0

vendor:advantechmodel:webaccessscope:lteversion:8.3.0

Trust: 1.0

vendor:advantechmodel:webaccess\/nmsscope:lteversion:2.0.3

Trust: 1.0

vendor:advantechmodel:webaccess <=8.2 20170817scope: - version: -

Trust: 0.6

vendor:advantechmodel:webaccessscope:lteversion:<=8.3.0

Trust: 0.6

vendor:advantechmodel:webaccess dashboardscope:lteversion:<=2.0.15

Trust: 0.6

vendor:advantechmodel:webaccess scada nodescope:ltversion:8.3.1

Trust: 0.6

vendor:advantechmodel:webaccess/nmsscope:lteversion:<=2.0.3

Trust: 0.6

vendor:advantechmodel:webaccessscope:eqversion:8.3.0

Trust: 0.6

vendor:advantechmodel:webaccessscope:eqversion:8.2_20170817

Trust: 0.6

vendor:advantechmodel:webaccess dashboardscope:eqversion:2.0.15

Trust: 0.6

vendor:advantechmodel:webaccess\/nmsscope:eqversion:2.0.3

Trust: 0.6

vendor:webaccessmodel: - scope:eqversion:*

Trust: 0.4

vendor:webaccess dashboardmodel: - scope:eqversion:*

Trust: 0.2

vendor:webaccess scadamodel: - scope:eqversion:*

Trust: 0.2

vendor:webaccess nmsmodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: e2f10d30-39ab-11e9-ae57-000c29342cb1 // ZDI: ZDI-18-516 // ZDI: ZDI-18-519 // ZDI: ZDI-18-523 // ZDI: ZDI-18-525 // ZDI: ZDI-18-509 // ZDI: ZDI-18-507 // ZDI: ZDI-18-497 // ZDI: ZDI-18-518 // ZDI: ZDI-18-506 // ZDI: ZDI-18-520 // ZDI: ZDI-18-498 // ZDI: ZDI-18-508 // ZDI: ZDI-18-510 // ZDI: ZDI-18-517 // ZDI: ZDI-18-490 // CNVD: CNVD-2018-10713 // CNNVD: CNNVD-201805-446 // NVD: CVE-2018-7499

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI: CVE-2018-7499
value: HIGH

Trust: 10.5

nvd@nist.gov: CVE-2018-7499
value: CRITICAL

Trust: 1.0

CNVD: CNVD-2018-10713
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201805-446
value: CRITICAL

Trust: 0.6

IVD: e2f10d30-39ab-11e9-ae57-000c29342cb1
value: CRITICAL

Trust: 0.2

ZDI: CVE-2018-7499
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 10.5

nvd@nist.gov: CVE-2018-7499
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2018-10713
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2f10d30-39ab-11e9-ae57-000c29342cb1
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2018-7499
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: IVD: e2f10d30-39ab-11e9-ae57-000c29342cb1 // ZDI: ZDI-18-516 // ZDI: ZDI-18-519 // ZDI: ZDI-18-523 // ZDI: ZDI-18-525 // ZDI: ZDI-18-509 // ZDI: ZDI-18-507 // ZDI: ZDI-18-497 // ZDI: ZDI-18-518 // ZDI: ZDI-18-506 // ZDI: ZDI-18-520 // ZDI: ZDI-18-498 // ZDI: ZDI-18-508 // ZDI: ZDI-18-510 // ZDI: ZDI-18-517 // ZDI: ZDI-18-490 // CNVD: CNVD-2018-10713 // CNNVD: CNNVD-201805-446 // NVD: CVE-2018-7499

PROBLEMTYPE DATA

problemtype:CWE-121

Trust: 1.0

problemtype:CWE-787

Trust: 1.0

sources: NVD: CVE-2018-7499

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201805-446

TYPE

Buffer error

Trust: 0.8

sources: IVD: e2f10d30-39ab-11e9-ae57-000c29342cb1 // CNNVD: CNNVD-201805-446

PATCH

title:Advantech has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-18-135-01

Trust: 10.5

title:Patch for Advantech WebAccess Stack Buffer Overflow Vulnerability (CNVD-2018-10713)url:https://www.cnvd.org.cn/patchInfo/show/130743

Trust: 0.6

title:Multiple Advantech Product Buffer Error Vulnerability Fixurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80056

Trust: 0.6

sources: ZDI: ZDI-18-516 // ZDI: ZDI-18-519 // ZDI: ZDI-18-523 // ZDI: ZDI-18-525 // ZDI: ZDI-18-509 // ZDI: ZDI-18-507 // ZDI: ZDI-18-497 // ZDI: ZDI-18-518 // ZDI: ZDI-18-506 // ZDI: ZDI-18-520 // ZDI: ZDI-18-498 // ZDI: ZDI-18-508 // ZDI: ZDI-18-510 // ZDI: ZDI-18-517 // ZDI: ZDI-18-490 // CNVD: CNVD-2018-10713 // CNNVD: CNNVD-201805-446

EXTERNAL IDS

db:NVDid:CVE-2018-7499

Trust: 12.9

db:ICS CERTid:ICSA-18-135-01

Trust: 2.2

db:BIDid:104190

Trust: 1.6

db:CNVDid:CNVD-2018-10713

Trust: 0.8

db:CNNVDid:CNNVD-201805-446

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-5691

Trust: 0.7

db:ZDIid:ZDI-18-516

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5694

Trust: 0.7

db:ZDIid:ZDI-18-519

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5698

Trust: 0.7

db:ZDIid:ZDI-18-523

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5700

Trust: 0.7

db:ZDIid:ZDI-18-525

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5684

Trust: 0.7

db:ZDIid:ZDI-18-509

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5682

Trust: 0.7

db:ZDIid:ZDI-18-507

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5662

Trust: 0.7

db:ZDIid:ZDI-18-497

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5693

Trust: 0.7

db:ZDIid:ZDI-18-518

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5681

Trust: 0.7

db:ZDIid:ZDI-18-506

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5695

Trust: 0.7

db:ZDIid:ZDI-18-520

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5663

Trust: 0.7

db:ZDIid:ZDI-18-498

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5683

Trust: 0.7

db:ZDIid:ZDI-18-508

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5685

Trust: 0.7

db:ZDIid:ZDI-18-510

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5692

Trust: 0.7

db:ZDIid:ZDI-18-517

Trust: 0.7

db:ZDI_CANid:ZDI-CAN-5654

Trust: 0.7

db:ZDIid:ZDI-18-490

Trust: 0.7

db:IVDid:E2F10D30-39AB-11E9-AE57-000C29342CB1

Trust: 0.2

sources: IVD: e2f10d30-39ab-11e9-ae57-000c29342cb1 // ZDI: ZDI-18-516 // ZDI: ZDI-18-519 // ZDI: ZDI-18-523 // ZDI: ZDI-18-525 // ZDI: ZDI-18-509 // ZDI: ZDI-18-507 // ZDI: ZDI-18-497 // ZDI: ZDI-18-518 // ZDI: ZDI-18-506 // ZDI: ZDI-18-520 // ZDI: ZDI-18-498 // ZDI: ZDI-18-508 // ZDI: ZDI-18-510 // ZDI: ZDI-18-517 // ZDI: ZDI-18-490 // CNVD: CNVD-2018-10713 // CNNVD: CNNVD-201805-446 // NVD: CVE-2018-7499

REFERENCES

url:https://ics-cert.us-cert.gov/advisories/icsa-18-135-01

Trust: 12.7

url:http://www.securityfocus.com/bid/104190

Trust: 1.6

sources: ZDI: ZDI-18-516 // ZDI: ZDI-18-519 // ZDI: ZDI-18-523 // ZDI: ZDI-18-525 // ZDI: ZDI-18-509 // ZDI: ZDI-18-507 // ZDI: ZDI-18-497 // ZDI: ZDI-18-518 // ZDI: ZDI-18-506 // ZDI: ZDI-18-520 // ZDI: ZDI-18-498 // ZDI: ZDI-18-508 // ZDI: ZDI-18-510 // ZDI: ZDI-18-517 // ZDI: ZDI-18-490 // CNVD: CNVD-2018-10713 // CNNVD: CNNVD-201805-446 // NVD: CVE-2018-7499

CREDITS

Mat Powell - Trend Micro Zero Day Initiative

Trust: 8.4

sources: ZDI: ZDI-18-516 // ZDI: ZDI-18-519 // ZDI: ZDI-18-523 // ZDI: ZDI-18-525 // ZDI: ZDI-18-509 // ZDI: ZDI-18-507 // ZDI: ZDI-18-518 // ZDI: ZDI-18-506 // ZDI: ZDI-18-520 // ZDI: ZDI-18-508 // ZDI: ZDI-18-510 // ZDI: ZDI-18-517

SOURCES

db:IVDid:e2f10d30-39ab-11e9-ae57-000c29342cb1
db:ZDIid:ZDI-18-516
db:ZDIid:ZDI-18-519
db:ZDIid:ZDI-18-523
db:ZDIid:ZDI-18-525
db:ZDIid:ZDI-18-509
db:ZDIid:ZDI-18-507
db:ZDIid:ZDI-18-497
db:ZDIid:ZDI-18-518
db:ZDIid:ZDI-18-506
db:ZDIid:ZDI-18-520
db:ZDIid:ZDI-18-498
db:ZDIid:ZDI-18-508
db:ZDIid:ZDI-18-510
db:ZDIid:ZDI-18-517
db:ZDIid:ZDI-18-490
db:CNVDid:CNVD-2018-10713
db:CNNVDid:CNNVD-201805-446
db:NVDid:CVE-2018-7499

LAST UPDATE DATE

2024-11-20T22:29:04.720000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-18-516date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-519date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-523date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-525date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-509date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-507date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-497date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-518date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-506date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-520date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-498date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-508date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-510date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-517date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-490date:2018-05-18T00:00:00
db:CNVDid:CNVD-2018-10713date:2018-05-31T00:00:00
db:CNNVDid:CNNVD-201805-446date:2020-10-09T00:00:00
db:NVDid:CVE-2018-7499date:2020-10-02T14:49:19.267

SOURCES RELEASE DATE

db:IVDid:e2f10d30-39ab-11e9-ae57-000c29342cb1date:2018-05-31T00:00:00
db:ZDIid:ZDI-18-516date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-519date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-523date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-525date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-509date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-507date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-497date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-518date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-506date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-520date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-498date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-508date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-510date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-517date:2018-05-18T00:00:00
db:ZDIid:ZDI-18-490date:2018-05-18T00:00:00
db:CNVDid:CNVD-2018-10713date:2018-05-31T00:00:00
db:CNNVDid:CNNVD-201805-446date:2018-05-16T00:00:00
db:NVDid:CVE-2018-7499date:2018-05-15T22:29:00.503