Details of VAR-201806-1812

ID

VAR-201806-1812

TITLE

(0Day) Advantech WebAccess ExlViewer getTemplateDetailByName template SQL Injection Information Disclosure Vulnerability

Trust: 0.7

sources: ZDI: ZDI-17-524

DESCRIPTION

This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Advantech WebAccess. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within ExlViewer.dll. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to extract information from the underlying database. Advantech WebAccess is a suite of browser-based HMI/SCADA software from Advantech. The software supports dynamic graphical display and real-time data control, and provides the ability to remotely control and manage automation equipment

Trust: 1.62

sources: ZDI: ZDI-17-524 // CNVD: CNVD-2018-11441 // BID: 100231 // IVD: e2f35722-39ab-11e9-bbbb-000c29342cb1

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: e2f35722-39ab-11e9-bbbb-000c29342cb1 // CNVD: CNVD-2018-11441

AFFECTED PRODUCTS

vendor:	advantech	model:	webaccess	scope:	eq	version:	0	Trust: 1.1
vendor:	advantech	model:	webaccess	scope:	-	version:	-	Trust: 0.7

sources: IVD: e2f35722-39ab-11e9-bbbb-000c29342cb1 // ZDI: ZDI-17-524 // CNVD: CNVD-2018-11441 // BID: 100231

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	ZDI-17-524
value:	MEDIUM
Trust: 0.7
CNVD:	CNVD-2018-11441
value:	HIGH
Trust: 0.6
IVD:	e2f35722-39ab-11e9-bbbb-000c29342cb1
value:	HIGH
Trust: 0.2

ZDI:	ZDI-17-524
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.7
CNVD:	CNVD-2018-11441
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2f35722-39ab-11e9-bbbb-000c29342cb1
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: e2f35722-39ab-11e9-bbbb-000c29342cb1 // ZDI: ZDI-17-524 // CNVD: CNVD-2018-11441

THREAT TYPE

network

Trust: 0.3

sources: BID: 100231

TYPE

Input Validation Error

Trust: 0.3

sources: BID: 100231

PATCH

title:	This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.11/08/2016, 11/09/2016, 11/10/2016 and 11/15/2016 - ZDI disclosed the reports, 44 in all, to ICS-CERT11/09/2016 - The vendor acknowledged receipt of the report through ICS-CERT and ICS-CERT provided ICS-VU-71410304/27/2017 - ICS-CERT notified ZDI these might be fixed in the latest version and asked would ZDI re-test05/03/2017 - ZDI replied that we cannot do the testing for AdvantechICS-CERT did not respond06/23/2017 - ZDI wrote to ICS-CERT requesting any available update07/31/2017 - ZDI wrote to ICS-CERT requesting any available update08/01/2017 - ZDI wrote to ICS-CERT advising of the intent to 0-day-- Mitigation:Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in and numerous other Microsoft Knowledge Base articles.	url:	http://technet.microsoft.com/en-us/library/cc725770%28ws.10%29.aspx	Trust: 0.7
title:	Patch for Advantech WebAccess SQL Injection Vulnerability (CNVD-2018-11441)	url:	https://www.cnvd.org.cn/patchinfo/show/131913	Trust: 0.6

sources: ZDI: ZDI-17-524 // CNVD: CNVD-2018-11441

EXTERNAL IDS

db:	ZDI	id:	ZDI-17-524	Trust: 1.0
db:	BID	id:	100231	Trust: 0.9
db:	CNVD	id:	CNVD-2018-11441	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-4211	Trust: 0.7
db:	IVD	id:	E2F35722-39AB-11E9-BBBB-000C29342CB1	Trust: 0.2

sources: IVD: e2f35722-39ab-11e9-bbbb-000c29342cb1 // ZDI: ZDI-17-524 // CNVD: CNVD-2018-11441 // BID: 100231

REFERENCES

url:	http://technet.microsoft.com/en-us/library/cc725770%28ws.10%29.aspx	Trust: 0.7
url:	http://www.securityfocus.com/bid/100231	Trust: 0.6
url:	http://webaccess.advantech.com	Trust: 0.3
url:	http://www.zerodayinitiative.com/advisories/zdi-17-524/	Trust: 0.3

sources: ZDI: ZDI-17-524 // CNVD: CNVD-2018-11441 // BID: 100231

CREDITS

rgod

Trust: 0.7

sources: ZDI: ZDI-17-524

SOURCES

db:	IVD	id:	e2f35722-39ab-11e9-bbbb-000c29342cb1
db:	ZDI	id:	ZDI-17-524
db:	CNVD	id:	CNVD-2018-11441
db:	BID	id:	100231

LAST UPDATE DATE

2022-05-17T01:50:55.396000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-17-524	date:	2017-08-07T00:00:00
db:	CNVD	id:	CNVD-2018-11441	date:	2018-06-13T00:00:00
db:	BID	id:	100231	date:	2017-08-07T00:00:00

SOURCES RELEASE DATE

db:	IVD	id:	e2f35722-39ab-11e9-bbbb-000c29342cb1	date:	2018-06-13T00:00:00
db:	ZDI	id:	ZDI-17-524	date:	2017-08-07T00:00:00
db:	CNVD	id:	CNVD-2018-11441	date:	2018-06-13T00:00:00
db:	BID	id:	100231	date:	2017-08-07T00:00:00