CVE-2018-10591 in WebAccess
Summary
by MITRE
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, an origin validation error vulnerability has been identified, which may allow an attacker can create a malicious web site, steal session cookies, and access data of authenticated users.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/05/2020
This vulnerability represents a critical origin validation error that affects multiple Advantech WebAccess products including the main WebAccess platform, Dashboard, Scada Node, and NMS components. The flaw stems from insufficient validation of the HTTP Origin header during authentication processes, creating a pathway for cross-site request forgery attacks that can compromise user sessions and data integrity. The vulnerability impacts versions up to and including V8.2_20170817 for WebAccess, V8.3.0 for WebAccess versions, V2.0.15 for Dashboard, pre-8.3.1 for Scada Node, and 2.0.3 for NMS, indicating a widespread issue across the product line that has persisted for several years.
The technical implementation of this vulnerability allows attackers to craft malicious web pages that can trick authenticated users into making unintended requests to the vulnerable WebAccess systems. When a user visits the malicious site while authenticated to the WebAccess platform, the browser automatically includes the Origin header in subsequent requests, which the vulnerable system fails to properly validate. This creates an environment where session cookies can be hijacked and user data accessed without proper authorization, as the system cannot distinguish between legitimate requests from the intended domain and crafted requests from malicious origins. The flaw directly relates to CWE-346, which defines "Origin Validation Error" as a weakness where applications fail to properly validate the source of requests, and aligns with ATT&CK technique T1531 for "Account Access Removal' and T1566 for "Phishing' as attackers can leverage this vulnerability to establish unauthorized access through session hijacking.
The operational impact of this vulnerability extends beyond simple session theft, as it provides attackers with persistent access to sensitive industrial control system data and potentially enables further exploitation within the network environment. Organizations using these vulnerable versions of Advantech WebAccess face significant risk of unauthorized data access, potential disruption of industrial processes, and possible escalation to more severe cyber attacks targeting critical infrastructure. The vulnerability's persistence across multiple product versions suggests inadequate security testing and validation during development cycles, creating a substantial risk for industrial automation and monitoring systems that rely on these platforms. Security teams must consider the potential for lateral movement within industrial networks if attackers gain access through this vulnerability, as WebAccess systems often serve as central points for monitoring and controlling industrial processes.
Organizations should immediately implement mitigations including updating to the latest available versions of all affected Advantech WebAccess products, implementing proper Origin header validation at the network level, and deploying additional security controls such as web application firewalls that can detect and block malicious requests. Network segmentation should be implemented to limit access to WebAccess systems, and authentication should be strengthened through multi-factor authentication where possible. Regular security assessments of industrial control systems should include verification of patch compliance for known vulnerabilities, and incident response procedures should be updated to address potential session hijacking scenarios. The vulnerability demonstrates the critical importance of proper input validation and origin verification in industrial web applications, as these systems often handle sensitive operational data that could impact physical infrastructure and safety systems.