Full Report
Dangerous vulnerabilities have been identified in Advantech WebAccess HMI Designer. Their exploitation could lead to remote code execution
Analysis Summary
# Vulnerability: Critical Flaws in Advantech WebAccess HMI Designer
## CVE Details
- **CVE ID:** CVE-2018-7494, CVE-2018-7495, CVE-2018-7493
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), CWE-427 (Uncontrolled Search Path Element)
## Affected Systems
- **Products:** Advantech WebAccess HMI Designer
- **Versions:** All versions prior to v2.1.8.94
- **Configurations:** Systems where WebAccess HMI Designer is used to create and edit HMI projects.
## Vulnerability Description
Multiple vulnerabilities were identified that allow for memory corruption and arbitrary code execution:
1. **Stack-based Buffer Overflows:** These vulnerabilities exist due to the application failing to properly validate the length of user-supplied data before copying it to a fixed-size stack buffer during the processing of HMI project files (.hmi).
2. **DLL Hijacking (Uncontrolled Search Path):** The software improperly handles the loading of external library files, allowing an attacker to place a malicious DLL in a directory that is searched before the legitimate system directories.
## Exploitation
- **Status:** PoC available (Publicly disclosed shortly after discovery)
- **Complexity:** Low (Requires user to open a malicious file)
- **Attack Vector:** Local/Network (via social engineering; an attacker must convince a user to open a specially crafted project file).
## Impact
- **Confidentiality:** High (Full access to data on the system)
- **Integrity:** High (Ability to modify system files and logic)
- **Availability:** High (Potential for complete system crash or persistent denial of service)
## Remediation
### Patches
- **Advantech WebAccess HMI Designer v2.1.9.31** or later. Users are urged to update to the latest version immediately to address these flaws.
### Workarounds
- **Strict Access Control:** Restrict the ability of users to import or open HMI project files from untrusted or external sources.
- **Principle of Least Privilege:** Run the HMI Designer software under a standard user account rather than an administrator account to limit the impact of a successful exploit.
## Detection
- **Indicators of Compromise:**
- Presence of unexpected `.dll` files in the project directories or the installation folder of HMI Designer.
- Application crashes when opening specific `.hmi` project files.
- **Detection methods and tools:**
- Use Endpoint Detection and Response (EDR) tools to monitor for suspicious child processes spawned by `PMDesigner.exe`.
- Monitor file integrity in the application’s installation directory.
## References
- **Advantech Official Site:** hxxps[://]www[.]advantech[.]com/
- **Kaspersky ICS CERT Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/04/26/vulnerabilities-in-advantech-webaccess-hmi-designer/
- **CISA ICS-CERT Advisory (ICSA-18-102-01):** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-18-102-01