CVE-2019-10993

Name of the Vulnerable Software and Affected Versions Advantech WebAccess versions 8.3.5 and prior

Description The issue is related to multiple untrusted pointer dereference vulnerabilities in the webvrpcs process of Advantech WebAccess software. These vulnerabilities may allow a remote attacker to execute arbitrary code. The vulnerabilities are associated with the lack of checking the value of a pointer before it is dereferenced.

Recommendations For Advantech WebAccess versions 8.3.5 and prior, update to a version later than 8.3.5 to resolve the issue. As a temporary workaround, consider restricting access to the viewsrv module to minimize the risk of exploitation. Avoid using the vulnerable functions, such as SQLAllocStmt, fClose, SQLExecute, SQLNumResultCols, SQLSetConnectOption, SQLAllocConnect, findClose, fWrite, SQLExecDirect, SQLParamData, SQLNumParams, rewind, SQLGetData, SQLFetch, SQLDisconnect, SQLDescribeParam, SQLConnect, SQLFreeStmt, fileno, ftell, SQLPrepare, SQLFreeConnect, SQLCancel, SQLSetStmtAttr, SQLSetParam, and SQLFreeEnv, until a patch is available.