Full Report
The vulnerabilities could lead to the disclosure of important information, deletion of files and remote code execution
Analysis Summary
# Vulnerability: Multiple Security Flaws in Advantech WebAccess/SCADA
## CVE Details
- **CVE ID:** CVE-2019-6550, CVE-2019-6552, CVE-2019-10991, CVE-2019-10985, CVE-2019-10987, CVE-2019-10989, CVE-2019-10993
- **CVSS Score:** Up to 9.8 (Critical)
- **CWE:** CWE-89 (SQL Injection), CWE-22 (Path Traversal), CWE-78 (Command Injection), CWE-287 (Improper Authentication)
## Affected Systems
- **Products:** Advantech WebAccess/SCADA
- **Versions:** Versions 8.3.5 and prior; 8.4.1 and prior
- **Configurations:** Systems with web-based management interfaces exposed to untrusted networks.
## Vulnerability Description
This suite of vulnerabilities stems from improper input validation and insufficient authentication mechanisms within the WebAccess/SCADA framework:
- **Remote Code Execution (RCE):** Several flaws allow unauthenticated attackers to inject OS commands or malicious code via specifically crafted web requests.
- **Path Traversal:** Faulty sanitization of file paths allows for the unauthorized deletion of arbitrary files or the disclosure of sensitive system configuration files.
- **SQL Injection:** Lack of parameterization in database queries allows attackers to bypass login screens or extract the entire backend database.
- **Information Disclosure:** Hardcoded credentials and insecure storage of configuration data can lead to the exposure of sensitive administrative information.
## Exploitation
- **Status:** Vulnerabilities were publicly disclosed by CISA and Trend Micro Zero Day Initiative; Proof of Concept (PoC) code has been discussed in security research circles.
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to SCADA database and configuration files)
- **Integrity:** High (Ability to modify system files and database records)
- **Availability:** High (Potential for system crashes or permanent deletion of critical application files)
## Remediation
### Patches
- **Advantech WebAccess/SCADA Version 8.4.2:** Users are strongly encouraged to update to version 8.4.2 or higher, which contains fixes for the reported vulnerabilities.
- **Advantech WebAccess/SCADA Version 9.0:** New deployments should utilize the 9.x branch.
### Workarounds
- **Network Segmentation:** Isolate the SCADA network from the business LAN and the Internet.
- **Firewall Restrictions:** Restrict access to the WebAccess interface to a whitelist of trusted IP addresses.
- **Disable Unnecessary Services:** Turn off web services if remote management is not required for daily operations.
## Detection
- **Indicators of Compromise:** Look for unusual SQL syntax in web server access logs (e.g., `SELECT`, `UNION`, `--`). Monitor for unauthorized `cmd.exe` or `powershell.exe` processes spawned by the WebAccess web server identity.
- **Detection Methods:** Employ Network Intrusion Detection Systems (NIDS) with signatures updated for Advantech WebAccess/SCADA CVEs. Use vulnerability scanners (e.g., Nessus, OpenVAS) to identify unpatched versions.
## References
- **Vendor Advisory:** hxxps[://]www[.]advantech[.]com/support/details/release-note?id=1-1T99SXB
- **CISA Advisory (ICSA-19-164-02):** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-19-164-02
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2019/06/28/multiple-vulnerabilities-in-advantech-webaccess-scada/