Full Report
If exploited, the vulnerabilities could lead to arbitrary code execution, file manipulations, denial of service and the creation of an admin account
Analysis Summary
Based on the advisory regarding Advantech WebAccess/NMS, here is the technical summary of the identified vulnerabilities.
# Vulnerability: Critical Flaws in Advantech WebAccess/NMS
## CVE Details
*Note: This advisory covers a cluster of vulnerabilities (ICS-CERT-ADVISORY: ICSA-20-098-03).*
- **CVE ID:** CVE-2020-10614, CVE-2020-10616, CVE-2020-10610, CVE-2020-10612
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-89 (SQL Injection), CWE-434 (Unrestricted Upload), CWE-287 (Improper Authentication), CWE-22 (Path Traversal)
## Affected Systems
- **Products:** Advantech WebAccess/NMS
- **Versions:** Versions 3.0.2 and prior
- **Configurations:** Web-based management interface enabled
## Vulnerability Description
The platform suffers from multiple critical security flaws:
1. **SQL Injection:** Improper neutralization of special elements in SQL commands allows attackers to manipulate database queries.
2. **Unrestricted File Upload:** The application allows the upload of files with dangerous extensions without sufficient validation, leading to remote code execution (RCE).
3. **Improper Authentication:** Flaws in session management allow for the creation of unauthorized administrative accounts.
4. **Path Traversal:** Lack of input validation allows for arbitrary file manipulation and deletion on the host file system.
## Exploitation
- **Status:** PoC available (Publicly disclosed via ICS-CERT)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full database access via SQLi)
- **Integrity:** High (Arbitrary file writes and admin account creation)
- **Availability:** High (Denial of Service via file deletion/manipulation)
## Remediation
### Patches
- **WebAccess/NMS Version 3.0.3** or later addresses these vulnerabilities. Users are urged to upgrade immediately.
### Workarounds
- Minimize network exposure for all control system devices and ensure they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
- Use secure methods, such as Virtual Private Networks (VPNs), when remote access is required.
## Detection
- **Indicators of Compromise:** Unusual web server logs showing directory traversal patterns (`../`), unauthorized creation of administrative users in application logs, and unexpected `.jsp` or executable files in upload directories.
- **Detection methods:** Use web application firewalls (WAF) to detect SQL injection patterns and restrict file upload types at the network perimeter.
## References
- **Vendor Advisory:** hxxps[://]www[.]advantech[.]com/support/details/release-note?id=1-1V56S1W
- **CISA ICS-CERT:** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-20-098-03
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2020/04/13/multiple-vulnerabilities-in-advantech-webaccess-nms/