One of TXOne’s researchers, Chizuru Toyama, has discovered and reported five new vulnerabilities in Advantech products. Advantech is a leading provider of technologies used in IoT, intelligent systems, Industry 4.0, machine automation, embedded computing and embedded systems around the globe. A vast amount of devices and systems are potentially at risk. Companies should check if they are affected. Toyama provides an overview and recommendations to protect or prevent your systems from exposure to these vulnerabilities.
According to Toyama, these vulnerabilities allow an attacker to send a maliciously crafted URL which could allow the user’s cookie/session tokens to be hijacked, thus allowing an attacker to redirect the user to a malicious web page (such as a phishing website) or cause other unintended browser actions. Prior to the discovery of this vulnerability, ‘downloadNode.asp’ and ‘controlNode.asp’ in Advantech WebAccess/SCADA were vulnerable to Cross-Site Scripting (XSS). Both ‘downloadNode.asp’ and ‘controlNode.asp’ did not properly validate values of “proj=” and “node=” in the URL and process query strings, so any injected JavaScript code would be executed.
To prevent this vulnerability from being exploited, we recommend updating to version 9.0.1 or later. We also recommend that users:
- Do not click unsolicited attachments or web links in emails, especially suspicious emails
- Learn about recognizing and avoiding e-mail scams
- Learn about avoiding social engineering and phishing attacks
Suggested IPS Rules
1139017 ICS Advantech WebAccess controlNode cross-site scripting (CVE-2021-27436)
This vulnerability is caused by insecure permissions being set as default on the WebAccess/SCADA portal’s ‘Project Management’ page. This can allow a low-privileged user to escalate privileges on the system after changing an administrator’s password and logging in with that administrator account.
To prevent this vulnerability from being exploited, we recommend updating to version 9.0.1 or later. We also recommend that users:
- Follow the “least privilege” principle in account hierarchy
- Minimize control systems being exposed to the network, or segment them separately from the business network
- Secure control system networks and remote devices behind firewalls, and segment them from the business network
- Use secure methods for remote access such as VPNs (Virtual Private Networks). Keep in mind that a VPN is only as secure as the devices connected to it, and that VPN clients must be kept updated to the latest version available.
CVE-2021-32956 and CVE-2021-32954
These two CVEs were published under a joint advisory. Similar to CVE-2021-27436, they both were found in Advantech’s WebAccess/SCADA.
CVE-2021-32956, similar to CVE-2021-27436, allows an attacker to send a URL to a user, potentially redirecting a user to a malicious web page (such as a phishing website). CVE-2021-32954 on the other hand could allow an attacker to read files on the system from a remote location.
Advantech is currenty developing a solution to these vulnerabilities. To prevent these vulnerabilities in the meantime, recommendations are similar to those for CVE-2021-22669:
- Minimize control systems being exposed to the network, or segment them separately from the business network
- Secure control system networks and remote devices behind firewalls, and segment them from the business network
- Use secure methods for remote access, such as VPNs (Virtual Private Networks). Keep in mind that a VPN is only as secure as the devices connected to it, and that VPN clients must be kept updated to the latest version available.
Suggested IPS Rules
1139364 ICS Advantech WebAccess WADashboard API Directory Traversal -1 (CVE-2021-32954)
1139366 ICS Advantech WebAccess WADashboard API Directory Traversal -2 (CVE-2021-32954)
1139368 ICS Advantech WebAccess WADashboard API Directory Traversal -3 (CVE-2021-32954)
This vulnerability affects versions of Advantech’s WISE-PaaS/RMM prior to 3.3.29. While there is a login portal for the WISE-PaaS Dashboard on WebAccess/SCADA, and this portal requires a user to log in with their SCADA account and password, the system actually logs into the WISE-PaaS Dashboard with a hardcoded default username and password. An attacker could use this default username and password to query the Grafana API, allowing them to get or update WISE-PaaS dashboard information.
Because Advantech has discontinued RMM and no longer maintains it, it’s not possible to fix this issue with an update.
We recommend the following defensive measures:
- Minimize control systems being exposed to the network, or segment them separately from the business network
- Secure control system networks and remote devices behind firewalls, and segment them from the business network
- Use secure methods for remote access, such as VPNs (Virtual Private Networks). Keep in mind that a VPN is only as secure as the devices connected to it, and that VPN clients must be kept updated to the latest version available.
