PT-2020-12979 · Advantech · Viewsrv+3

Z0Mb1E

Published

2020-05-08

Updated

2021-09-23

CVE-2020-12006

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Advantech WebAccess Node versions 8.4.4 and prior Advantech WebAccess Node version 9.0.0

Description Multiple relative path traversal vulnerabilities exist that may allow a low privilege user to overwrite files outside the application’s control. The issue affects the WebAccess/SCADA system, including components such as DATACORE, ViewSrv, and DrawSrv, which are vulnerable to directory traversal and command injection attacks.

Recommendations For Advantech WebAccess Node versions 8.4.4 and prior, update to a version later than 8.4.4 to resolve the issue. For Advantech WebAccess Node version 9.0.0, update to a version later than 9.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable IOCTL endpoints, such as 0x0000791e and 0x00002711, until a patch is available.

Fix

Relative Path Traversal

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-23CWE-22

Related Identifiers

CVE-2020-12006

ZDI-20-589

ZDI-20-595

ZDI-20-605

Affected Products

Advantech Webaccess Node

Datacore

Drawsrv

Viewsrv

PT-2020-12979 · Advantech · Viewsrv+3

CVE-2020-12006

Weakness Enumeration

Related Identifiers

Affected Products

References · 7