Advantech has plugged nine security holes in WebAccess and has urged users to upgrade the software as soon as possible.
Advantech WebAccess is a web browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA).
A variety of vulnerabilities
The vulnerabilities, fixed in the latest version of the product, range from SQL injection flaws to buffer overflows, from incorrect privilege and permission assignment, to improper authentication vulnerabilities.
If exploited, they could lead to account modifications, privilege escalation, information leakage, remote code execution, and system crashes.
The good news is that they were discovered by security researchers, and there are no known public exploits for them.
Upgrade WebAccess to stay safe
ICS-CERT advises users to upgrade to WebAccess V8.2_20170817, as well as to take defensive measures to minimize the risk of exploitation of these vulnerabilities.
This could be achieved by minimizing the network exposure of these systems, putting them behind firewalls and isolating them from the business network, and using VPNs when remote access to them is required.