Body Background
TrendAI™ Zero Day Initiative™ Logo

(0Day) Advantech WebAccess Node DATACORE Stack-based Buffer Overflow Remote Code Execution Vulnerability

May 14th, 2020
ZDI-20-654 ZDI-CAN-9779

CVE ID

CVE-2020-12019

CVSS Score

9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Vendors

Advantech

Affected Products

WebAccess

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Advantech WebAccess Node. Authentication is not required to exploit this vulnerability.

The specific flaw exists within DATACORE.exe. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of Administrator.

Additional Details

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

12/17/19 - ZDI reported the vulnerability to ICS-CERT
01/08/20 - ICS-CERT provided ZDI with an ICS-VU-#, indicated that the vendor requested an extension until June
01/09/20 - ZDI offered an extension to 04/01/20
01/15/20 - The vendor requested an extension until April 30th
01/21/20 - The vendor indicated they would provide a fix as soon as possible
03/30/20 - ICS-CERT indicated that the vendor had issued a new release
03/31/20 - ZDI communicated that the fix was not included in the new release
04/15/20 - ZDI requested a status update and communicated an extension offer to 05/01/20
04/15/20 - ICS-CERT indicated that the fix would be applied in the second patch
04/16/20 – ZDI requested for an ETA for the second patch
04/17/20 - The vendor indicated that it would be released in late May or early June
04/21/20 - ZDI notified ICS-CERT the intention to publish the reports as 0-day advisories
04/23/20 - ZDI notified ICS-CERT these cases would publish as 0-day advisories on 05/14/20

-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.


Disclosure Timeline

  • 2019-12-17 - Vulnerability reported to vendor
  • 2020-05-14 - Coordinated public release of advisory

Credit

Z0mb1E

Back to Advisories

Hero Background

Stand at the front line of proactive security

Trend ZDI connects the experts who discover, remediate, and defend.
Add your voice to the work that pushes attackers back.

RESEARCHERS

Submit a vulnerability

VENDORS

Learn how it works

ORGANIZATIONS

See how you're protected