ICS-CERT has become aware of two publicly disclosed vulnerabilities with and proof of concept code affecting the Advantech BroadWin WebAccess Client 126.96.36.199, a web browser-based human-machine interface (HMI) product. The public disclosure indicates that these vulnerabilities are remotely exploitable. ICS-CERT has contacted and is coordinating this information with Advantech to validate and confirm this report.
Specifically, the two disclosed vulnerabilities are:
- A format string vulnerability
- A memory corruption vulnerability
ICS-CERT will provide additional information as it becomes available. Please report any issues affecting control systems in critical infrastructure environments to ICS-CERT.
ICS-CERT published the follow-up advisory ICSA-12-047-01 Advantech WebAccess Vulnerabilities to the ICS-CERT Web site on February 16, 2012.
Advantech BroadWin WebAccess is a web-based HMI platform used in energy, manufacturing, and building automation applications. WebAccess is installed in several countries in Asia, North America, North Africa, and the Middle East.
Toll Free: 1-888-282-0870