Advisory Details

May 14th, 2020

(0Day) Advantech WebAccess Node DATACORE Stack-based Buffer Overflow Remote Code Execution Vulnerability

ZDI-20-654
ZDI-CAN-9779

CVE ID CVE-2020-12019
CVSS SCORE 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AFFECTED VENDORS Advantech
AFFECTED PRODUCTS WebAccess
VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability.

The specific flaw exists within DATACORE.exe. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.
ADDITIONAL DETAILS

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

12/17/19 - ZDI reported the vulnerability to ICS-CERT
01/08/20 - ICS-CERT provided ZDI with an ICS-VU-#, indicated that the vendor requested an extension until June
01/09/20 - ZDI offered an extension to 04/01/20
01/15/20 - The vendor requested an extension until April 30th
01/21/20 - The vendor indicated they would provide a fix as soon as possible
03/30/20 - ICS-CERT indicated that the vendor had issued a new release
03/31/20 - ZDI communicated that the fix was not included in the new release
04/15/20 - ZDI requested a status update and communicated an extension offer to 05/01/20
04/15/20 - ICS-CERT indicated that the fix would be applied in the second patch
04/16/20 – ZDI requested for an ETA for the second patch
04/17/20 - The vendor indicated that it would be released in late May or early June
04/21/20 - ZDI notified ICS-CERT the intention to publish the reports as 0-day advisories
04/23/20 - ZDI notified ICS-CERT these cases would publish as 0-day advisories on 05/14/20

-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.
DISCLOSURE TIMELINE
  • 2019-12-17 - Vulnerability reported to vendor
  • 2020-05-14 - Coordinated public release of advisory
CREDIT Z0mb1E
BACK TO ADVISORIES