SB2018042517 - Remote code execution in Advantech WebAccess HMI Designer
Published: April 25, 2018
Security Bulletin ID
SB2018042517
Severity
High
Patch available
NO
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Out-of-bounds write (CVE-ID: CVE-2018-8837)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to out-of-bounds write when handling malicious input. A remote attacker can trick the victim into processing specially crafted .pm3 files, cause the system to write outside the intended buffer area and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Double free memory error (CVE-ID: CVE-2018-8835)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to double free memory error when handling malicious input. A remote attacker can trick the victim into processing specially crafted .pm3 files, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
3) Heap-based buffer overflow (CVE-ID: CVE-2018-8833)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to heap-based buffer overflow when handling malicious input. A remote attacker can trick the victim into processing specially crafted .pm3 files, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.