PT-2018-6315 · Advantech · Advantech Webaccess

Published

2018-01-05

·

Updated

2019-10-09

·

CVE-2017-16728

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions: Advantech WebAccess versions prior to 8.3
Description: An Untrusted Pointer Dereference issue was discovered in Advantech WebAccess, which may allow an attacker to cause the program to use an invalid memory address, resulting in a program crash. The issue affects multiple functions, including SQLSetConnectOption, SQLFreeConnect, SQLExecute, SQLFetchScroll, SQLDescribeParam, SQLExecDirect, SQLSetEnvAttr, SQLConnect, SQLFreeEnv, SQLPrepare, SQLNumResultCols, SQLParamData, SQLDisconnect, SQLAllocStmt, SQLSetParam, SQLFetch, SQLFreeStmt, SQLCancel, SQLSetStmtAttr, and SQLPutData.
Recommendations: For Advantech WebAccess versions prior to 8.3, update to version 8.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable functions until a patch is available. Avoid using the affected functions in the webvrpcs drawsrv module to minimize the risk of exploitation.

Fix

NULL Pointer Dereference

Untrusted Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-476CWE-822

Related Identifiers

CVE-2017-16728
ZDI-18-009
ZDI-18-010
ZDI-18-011
ZDI-18-012
ZDI-18-013
ZDI-18-014
ZDI-18-015
ZDI-18-016
ZDI-18-017
ZDI-18-018
ZDI-18-019
ZDI-18-020
ZDI-18-021
ZDI-18-022
ZDI-18-029
ZDI-18-030
ZDI-18-031
ZDI-18-032
ZDI-18-033
ZDI-18-034
ZDI-18-035
ZDI-18-036
ZDI-18-037
ZDI-18-038
ZDI-18-039
ZDI-18-040
ZDI-18-057
ZDI-18-059

Affected Products

Advantech Webaccess