SB2020051108 - Multiple vulnerabilities in Advantech WebAccess/SCADA
Published: May 11, 2020 Updated: May 11, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 48 secuirty vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the processing of IOCTL 0x5218 in datacore.exe. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the processing of IOCTL 0x520B in datacore.exe. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the processing of IOCTL 0x5209 in datacore.exe. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the processing of IOCTL 0x5208 in datacore.exe. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
5) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the processing of IOCTL 0x5213 in datacore.exe. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the processing of IOCTL 0x520B in datacore.exe. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
7) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the processing of IOCTL 0x521B in datacore.exe. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
8) Buffer overflow (CVE-ID: CVE-2020-12022)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a improper array index validation within the implementation of IOCTL 0x0000521e in DATACORE.exe. A remote attacker can pass specially crafted data to the application, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) SQL injection (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data within the implementation of IOCTL 0x00013c71 in BwWebSvc.dll. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to disclose stored credentials, leading to further compromise.
10) SQL injection (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data within the implementation of IOCTL 0x00013c74 and IOCTL 0x00013c75 in BwWebSvc.dll. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to disclose stored credentials, leading to further compromise.
11) SQL injection (CVE-ID: CVE-2020-12014)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data within the implementation of IOCTL 0x00013c76 and IOCTL 0x00013c77 in BwWebSvc.dll. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to disclose stored credentials, leading to further compromise.
12) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the processing of IOCTL 0x5217 in datacore.exe. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
13) Stack-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within bwscrp.exe when invoked via IOCTL 0x2711. A remote unauthenticated attacker can pass specially crafted data to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
14) Path traversal (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error within the implementation of IOCTL 0x0000277d in DrawSrv.dll. A remote attacker can pass specially crafted data to the application and overwrite arbitrary files on the system.
15) Path traversal (CVE-ID: CVE-2020-12026)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error within the implementation of IOCTL 0x0000277d in ViewSrv.dll. A remote attacker can pass specially crafted data to the application and overwrite arbitrary files on the system.
16) Out-of-bounds read (CVE-ID: CVE-2020-12018)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the implementation of IOCTL 0x00002722 in ViewSrv.dll. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
17) Out-of-bounds read (CVE-ID: CVE-2020-12018)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the implementation of IOCTL 0x00002722 in DrawSrv.dll. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
18) Path traversal (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error within the implementation of IOCTL 0x0000791e in DATACORE.exe. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the system.
19) Stack-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x00005241 in DATACORE.exe. A remote unauthenticated attacker can pass specially crafted data to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
20) Stack-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x00005227 in DATACORE.exe. A remote unauthenticated attacker can pass specially crafted data to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
21) Stack-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the BwBacNetJ device driver. A remote unauthenticated attacker can pass specially crafted data to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
22) Stack-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the GpsET200 device driver. A remote unauthenticated attacker can pass specially crafted data to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
23) Stack-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the OPCUA device driver. A remote unauthenticated attacker can pass specially crafted data to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
24) Stack-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the SyntecUA device driver. A remote unauthenticated attacker can pass specially crafted data to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
25) Stack-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the BwBacNetJ driver. A remote unauthenticated attacker can pass specially crafted data to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
26) Stack-based buffer overflow (CVE-ID: CVE-2020-12002)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the BwBacNetJ driver. A remote unauthenticated attacker can pass specially crafted data to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
27) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x00002723 in ViewSrv.dll. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
28) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x00002774 in ViewSrv.dll. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
29) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x00002775 in ViewSrv.dll. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
30) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x00005226 in DATACORE.exe. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
31) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x0000791c in DATACORE.exe. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
32) Integer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x0000791e in DATACORE.exe. A remote attacker can trick the victim to visit a specially crafted web page, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
33) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x0000791d in DATACORE.exe. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
34) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x00002775 in DrawSrv.dll. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
35) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x00002723 in DrawSrv.dll. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
36) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x00002774 in DrawSrv.dll. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
37) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the processing of IOCTL 0x00013c77 in BwWebSvc.dll. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
38) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the implementation of IOCTL 0x00013c7b in BwWebSvc.dll. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
39) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the processing of IOCTL 0x00013c84 in BwWebSvc.dll. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
40) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the BwTCPIP device driver. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
41) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the BwTCPIP device driver. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
42) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the ModDuDrv device driver. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
43) Heap-based buffer overflow (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the processing of IOCTL 0x00013c80 in BwWebSvc.dll. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
44) Heap-based buffer overflow (CVE-ID: CVE-2020-10638)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the BwBacNetJ driver. A remote attacker can trick the victim to visit a specially crafted web page, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
45) Command Injection (CVE-ID: N/A)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to input validation error within the implementation of IOCTL 0x00002711 in DrawSrv.dll. A remote attacker can trick the victim to visit a specially crafted web page and execute arbitrary code on the target system.
46) Path traversal (CVE-ID: N/A)
The vulnerability allows a remote attacker to compromise the affected system
The vulnerability exists due to input validation error within the implementation of IOCTL 0x0000791e in DATACORE.exe. A remote attacker can create a specially crafted web page, trick the victim into visiting it and execute arbitrary code on the target system.
47) Command Injection (CVE-ID: CVE-2020-12006)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the implementation of IOCTL 0x00002711 in ViewSrv.dll. A remote attacker can trick the victim to visit a specially crafted web page and execute arbitrary commands on the system.
48) Path traversal (CVE-ID: CVE-2020-12010)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote authenticated attacker can use a specially crafted file to delete files outside the application’s control.
Remediation
Install update from vendor's website.
References
- https://www.zerodayinitiative.com/advisories/ZDI-20-612/
- https://www.zerodayinitiative.com/advisories/ZDI-20-606/
- https://www.zerodayinitiative.com/advisories/ZDI-20-607/
- https://www.zerodayinitiative.com/advisories/ZDI-20-608/
- https://www.zerodayinitiative.com/advisories/ZDI-20-609/
- https://www.zerodayinitiative.com/advisories/ZDI-20-610/
- https://www.zerodayinitiative.com/advisories/ZDI-20-611/
- https://www.us-cert.gov/ics/advisories/icsa-20-128-01
- https://www.zerodayinitiative.com/advisories/ZDI-20-598/
- https://www.zerodayinitiative.com/advisories/ZDI-20-613/
- https://www.zerodayinitiative.com/advisories/ZDI-20-614/
- https://www.zerodayinitiative.com/advisories/ZDI-20-615/
- https://www.zerodayinitiative.com/advisories/ZDI-20-629/
- https://www.zerodayinitiative.com/advisories/ZDI-20-632/
- https://www.zerodayinitiative.com/advisories/ZDI-20-627/
- https://www.zerodayinitiative.com/advisories/ZDI-20-626/
- https://www.zerodayinitiative.com/advisories/ZDI-20-628/
- https://www.zerodayinitiative.com/advisories/ZDI-20-630/
- https://www.zerodayinitiative.com/advisories/ZDI-20-591/
- https://www.zerodayinitiative.com/advisories/ZDI-20-590/
- https://www.zerodayinitiative.com/advisories/ZDI-20-592/
- https://www.zerodayinitiative.com/advisories/ZDI-20-619/
- https://www.zerodayinitiative.com/advisories/ZDI-20-622/
- https://www.zerodayinitiative.com/advisories/ZDI-20-624/
- https://www.zerodayinitiative.com/advisories/ZDI-20-625/
- https://www.zerodayinitiative.com/advisories/ZDI-20-633/
- https://www.zerodayinitiative.com/advisories/ZDI-20-634/
- https://www.zerodayinitiative.com/advisories/ZDI-20-593/
- https://www.zerodayinitiative.com/advisories/ZDI-20-594/
- https://www.zerodayinitiative.com/advisories/ZDI-20-596/
- https://www.zerodayinitiative.com/advisories/ZDI-20-597/
- https://www.zerodayinitiative.com/advisories/ZDI-20-599/
- https://www.zerodayinitiative.com/advisories/ZDI-20-600/
- https://www.zerodayinitiative.com/advisories/ZDI-20-601/
- https://www.zerodayinitiative.com/advisories/ZDI-20-602/
- https://www.zerodayinitiative.com/advisories/ZDI-20-603/
- https://www.zerodayinitiative.com/advisories/ZDI-20-604/
- https://www.zerodayinitiative.com/advisories/ZDI-20-616/
- https://www.zerodayinitiative.com/advisories/ZDI-20-617/
- https://www.zerodayinitiative.com/advisories/ZDI-20-618/
- https://www.zerodayinitiative.com/advisories/ZDI-20-620/
- https://www.zerodayinitiative.com/advisories/ZDI-20-621/
- https://www.zerodayinitiative.com/advisories/ZDI-20-623/
- https://www.zerodayinitiative.com/advisories/ZDI-20-631/
- https://www.zerodayinitiative.com/advisories/ZDI-20-635/
- https://www.zerodayinitiative.com/advisories/ZDI-20-605/
- https://www.zerodayinitiative.com/advisories/ZDI-20-589/
- https://www.zerodayinitiative.com/advisories/ZDI-20-595/