A vulnerability in Advantech WebAccess, a web browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems, allows attackers to remotely executed commands with administrator privileges on vulnerable systems.
The flaw (CVE-2017-16720) was supposed to be and was purportedly patched, but Tenable researchers claim otherwise. And what’s even worse, an exploit for it that works out-of-the-box has been available online for nearly six months.
In January 2018, Advantech pushed out version 8.3 of the WebAccess software to fix a variety of more or less severe flaws, including CVE-2017-16720. At the time there were no known public exploits specifically targeting those vulnerabilities.
The exploit for CVE-2017-16720 was released in March and in May Tenable researchers discovered that versions 8.3 and 8.3.1 (released in January and May, respectively) still sported that specific security hole.
Advantech then released version 8.3.2 of the package and, once again, the flaw remained exploitable.
“This vulnerability allows for remote command execution via the Remote Procedure Call (RPC) protocol over TCP port 4592. By utilizing malicious Distributed Computing Environment / Remote Procedure Calls (DCERPC), the webvrpcs.exe service will pass command line instructions to the host,” Tenable explains.
“The webvrpcs.exe service runs with administrator access rights, which means an attacker can take control of an asset at that privilege level.”
Researcher Chris Lyne found 38 vulnerable, Internet-facing instances of WebAccess via Shodan (that number is currently down to 33).
“These results certainly don’t represent the total number of WebAccess installations across the globe, but it is clear that the product is being used in at least five countries. Given that this software is used in critical infrastructure sectors (such as critical manufacturing, energy, water and wastewater systems), this type of cyber exposure creates the potential for significant impact,” he noted. So it’s possible that some of those have already been hit with the exploit.
More information about the flaw, its root cause and exploitation steps can be found in his post.
According to information provided by ICS-CERT, Advantech is planning to issue a fix for the flaw in September. In the meantime, users should minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.