CVE-2017-16720
published 2018-01-05CVE-2017-16720: A Path Traversal issue was discovered in WebAccess versions 8.3.2 and earlier. An attacker has access to files within the directory structure of the target…
PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
50.32%
98.8th percentile
A Path Traversal issue was discovered in WebAccess versions 8.3.2 and earlier. An attacker has access to files within the directory structure of the target device.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | webaccess | <= 8.3.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated DCERPC bind attempts to interface UUID 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc on TCP port 4592, which is the attack vector for CVE-2017-16720 against webvrpcs.exe. ↗
- →Monitor for IOCTL 0x2711 (decimal 10001) RPC calls to webvrpcs.exe on port 4592, which is used to pass path-traversal command strings to CreateProcessA(). ↗
- →Alert on IOCTL 10005 RPC calls to webvrpcs.exe, which trigger an unauthenticated arbitrary file deletion (_unlink) primitive. ↗
- →Detect path-traversal sequences (e.g., ..\..\) in RPC stub data sent to TCP port 4592, indicative of directory traversal exploitation of webvrpcs.exe. ↗
- →Monitor webvrpcs.exe for spawning child processes with administrator privileges, as the service runs with administrator access rights and can be abused for RCE. ↗
- →Watch for unauthenticated RPC file-operation calls (fopen/fwrite/fclose) to webvrpcs.exe that write executables into C:\WebAccess\Node\ — a whitelisted directory used to bypass the CVE-2017-16720 patch. ↗
- ·The ICS-CERT advisory stated WebAccess 8.3 addressed CVE-2017-16720, but Tenable confirmed versions 8.3, 8.3.1, and 8.3.2 remain vulnerable — patching to 8.3 is insufficient. ↗
- ·The 8.3.3 patch introduced an executable whitelist in DsDaqWebService (drawsrv.dll) to restrict CreateProcessA() calls, but this whitelist can be bypassed by uploading a malicious file to a whitelisted path via unauthenticated RPC file-write operations. ↗
- ·webvrpcs.exe accepts unauthenticated RPC calls for file operations (fopen, fseek, ftell, fread, fwrite, fclose), meaning network-level access controls blocking port 4592 are critical compensating controls. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fh38-p8hv-hjcv: A Path Traversal issue was discovered in WebAccess versions 8
ghsa_unreviewed·2022-05-13
CVE-2017-16720 [CRITICAL] CWE-22 GHSA-fh38-p8hv-hjcv: A Path Traversal issue was discovered in WebAccess versions 8
A Path Traversal issue was discovered in WebAccess versions 8.3.2 and earlier. An attacker has access to files within the directory structure of the target device.
CISA ICS
Advantech WebAccess (Update A)
cisa_ics·2018-01-04
Advantech WebAccess (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Advantech WebAccess (Update A)
Last RevisedJanuary 11, 2018
Alert CodeICSA-18-004-02A
## CVSS v3 8.2
ATTENTION: Remotely exploitable/low skill level to exploit.
Vendor: Advantech
Equipment: WebAccess
Vulnerabilities: Untrusted Pointer Dereference, Stack-based Buffer Overflow, Path Traversal, SQL Injection, Improper Input Validation.
## UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-18-004-02 Advantech WebAccess that was published January 4, 2018, on the NCCIC/ICS-CERT web site.
## AFFECTED PRODUCTS
Advantech reports the vulner
No detection rules found.
Tenable
Multiple Advantech WebAccess Vulnerabilities
blogs_tenable·2019-04-04
Multiple Advantech WebAccess Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
[R2] Advantech WebAccess Stack Buffer Overflow
blogs_tenable·2018-12-14
[R2] Advantech WebAccess Stack Buffer Overflow
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Tenable Research Advisory: Advantech WebAccess Remote Command Execution Still Exploitable
blogs_tenable·2018-09-10·CVSS 9.8
CVE-2017-16720 [CRITICAL] Tenable Research Advisory: Advantech WebAccess Remote Command Execution Still Exploitable
Blog / Research
Subscribe
# Tenable Research Advisory: Advantech WebAccess Remote Command Execution Still Exploitable
Ryan Seguin
September 10, 2018
2 Min Read
Tenable Researcher Chris Lyne discovered that Advantech WebAccess versions 8.3, 8.3.1 and 8.3.2 are still vulnerable to remote command execution CVE-2017-16720, which was originally disclosed by ZDI in January 2018 and has a public exploit.
## Background
Tenable Research’s Chris Lyne has discovered that Advantech WebAccess remains unprotected against a public exploit several months after a patch was released. Vulnerable WebAccess instances remain susceptible to an unauthenticated remote code execution (RCE) attack (CVE-2017-16720). WebAccess versions 8.3, 8.3.1 and 8.3.2 are affected.
On January 4, 2018, ICS-CERT released IC
Tenable
Tenable Research Advisory: Advantech WebAccess Remote Command Execution Still Exploitable
blogs_tenable·2018-09-10
Tenable Research Advisory: Advantech WebAccess Remote Command Execution Still Exploitable
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
[R1] Advantech WebAccess Remote Code Execution
blogs_tenable·2018-09-10
[R1] Advantech WebAccess Remote Code Execution
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://www.securityfocus.com/bid/102424https://ics-cert.us-cert.gov/advisories/ICSA-18-004-02https://www.exploit-db.com/exploits/44278/https://www.tenable.com/security/research/tra-2018-23https://www.zerodayinitiative.com/advisories/ZDI-18-024/http://www.securityfocus.com/bid/102424https://ics-cert.us-cert.gov/advisories/ICSA-18-004-02https://www.exploit-db.com/exploits/44278/https://www.tenable.com/security/research/tra-2018-23
2018-01-05
Published