Yuri Kramarz of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Cisco Talos recently discovered two vulnerabilities in the Advantech WebAccess/SCADA software package. An adversary could exploit each of these vulnerabilities to disclose sensitive information and elevate their privileges on the targeted system, respectively. This software package, based in HTML-5, allows users to perform data visualization and supervisory controls over internet-of-things and operational technology devices.
In accordance with our coordinated disclosure policy, Cisco Talos is disclosing these vulnerabilities despite Advantech not confirming a fix. For more on this, refer to Cisco's 90-day vulnerability disclosure policy.
Vulnerability details
Advantech WebAccess/SCADA installation local file inclusion (TALOS-2020-1168/CVE-2020-13550)
A local file inclusion vulnerability exists in the installation functionality of Advantech WebAccess/SCADA 9.0.1. A specially crafted application can lead to information disclosure. An attacker can send an authenticated HTTP request to trigger this vulnerability.
Read the complete vulnerability advisory here for additional information.
Advantech WebAccess/SCADA installation privilege escalation vulnerability (TALOS-2020-1169/CVE-2020-13551 - CVE-2020-13555)
Multiple exploitable local privilege elevation vulnerabilities exist in the file system permissions of Advantech WebAccess/SCADA 9.0.1 installation. Depending on the vector chosen, an attacker can either replace binary or loaded modules to execute code w ..
Support the originator by clicking the read the rest link below.
