Advisory Details

This vulnerability allows local attackers to escalate privileges on affected installations of Advantech WebAccess Node. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the configuration of the PostgreSQL database. The issue results from incorrect permissions set on a resource used by the service. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM.

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

12/17/19 - ZDI reported the vulnerability to ICS-CERT
01/08/20 - ICS-CERT provided ZDI with an ICS-VU-#, indicated that the vendor requested an extension until June
01/09/20 - ZDI offered an extension to 04/01/20
01/15/20 - The vendor requested an extension until April 30th
01/21/20 - The vendor indicated they would provide a fix as soon as possible
03/30/20 - ICS-CERT indicated that the vendor had issued a new release
03/31/20 - ZDI communicated that the fix was not included in the new release
04/15/20 - ZDI requested a status update and communicated an extension offer to 05/01/20
04/15/20 - ICS-CERT indicated that the fix would be applied in the second patch
04/16/20 – ZDI requested for an ETA for the second patch
04/17/20 - The vendor indicated that it would be released in late May or early June
04/21/20 - ZDI notified ICS-CERT the intention to publish the reports as 0-day advisories
04/23/20 - ZDI notified ICS-CERT these cases would publish as 0-day advisories on 05/14/20

-- Mitigation:
Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it.

• 2019-12-17 - Vulnerability reported to vendor
• 2020-05-14 - Coordinated public release of advisory