Advantech/Broadwin WebAccess RPC Vulnerability (Update B)
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
This updated advisory is a follow-up to the updated advisory titled ICSA-11-094-02A Advantech/Broadwin WebAccess RPC Vulnerability that was published November 4, 2011, on the NCCIC/ICS‑CERT Web site.
--------- Begin Update B Part 1 of 5 --------
Independent security researcher Rubén Santamarta has identified details and released exploit code for a Remote Procedure Call (RPC) vulnerability in the Advantech WebAccess and legacy BroadWin WebAccess software (WebAccess). This is a Web browser‑based human-machine interface (HMI) product. This RPC vulnerability affects the WebAccess Network Service on Port 4592/TCP and allows remote code execution.
Advantech has provided a free version upgrade that mitigates this vulnerability for any licensed user of any previous version of WebAccess.
--------- End Update B Part 1 of 5 ----------
--------- Begin Update B Part 2 of 5 --------
This vulnerability affects all versions of WebAccess prior to Version 7.1 2013.05.30, including all legacy versions of either Advantech WebAccess or BroadWin WebAccess.
--------- End Update B Part 2 of 5 ----------
The successful exploit of this vulnerability could allow an attacker to remotely execute arbitrary code.
The full impact to individual organizations is dependent on multiple factors unique to each organization. The NCCIC/ICS‑CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and operational product implementation.
--------- Begin Update B Part 3 of 5 --------
Advantech/Broadwin WebAccess is a Web-based HMI product used in energy, manufacturing, and building automation systems. The installation base is across Asia; North, Central, and South America; North Africa; the Middle East; and Europe. WebAccess Client software is available for desktop computers and laptops running Windows 2000, XP, Vista, Server 2003, Windows 7, and Windows 8. A thin-client interface is available for Windows CE and Windows Mobile 5.0.
--------- End Update B Part 3 of 5 ----------
--------- Begin Update B Part 4 of 5 --------
This vulnerability exploits an RPC vulnerability in WebAccess Network Service on 4592/TCP.
--------- End Update B Part 4 of 5 ----------
An attacker can initiate this exploit from a remote machine without user interaction.
EXISTENCE OF EXPLOIT
An exploit of this vulnerability has been posted publicly.
This vulnerability requires a moderate level of skill to exploit.
--------- Begin Update B Part 5 of 5 --------
Advantech has released a new version of WebAccess that mitigates this vulnerability. Users may upgrade to the latest version from any previous version of WebAccess at no charge. Download the latest version of WebAccess (V 7.1 2013.05.30) from the following location on the Advantech Web site:
Advantech has also created the following site to share additional information about WebAccess:
Prior to the release of this new version, customers using WebAccess should refer to security considerations recommended by Advantech in the WebAccess Installation Manual:
For further assistance, contact Advantech support at +1-877-451-6868.
--------- End Update B Part 5 of 5 ----------
Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC/ICS-CERT for tracking and correlation against other incidents. NCCIC/ICS‑CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
NCCIC/ICS-CERT also provides a section for control systems security recommended practices on the NCCIC/ICS-CERT Web site at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
- a. CWE-94: Improper Control of Generation of Code ('Code Injection'), http://cwe.mitre.org/data/definitions/94.html, Web site last accessed January 07, 2014.
- b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4041, NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory.
- c. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C, Web site last accessed January 07, 2014.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.