Advantec HMI vulnerable

Advantech sysadmins: if you use the company's WebAccess human-machine interface (HMI) product, you'll need to upgrade it against newly-disclosed vulnerabilities.

The company mistakenly marked a number of DLLs as safe-for-scripting, when they were intended for restricted use; and there's a buffer overflow that can be triggered by a malicious DLL.

The ICS-Cert advisory says an attacker would need a bit of social engineering, to trick a user into loading crafted DLLs, so it's not trivial to exploit.

However, since the product in question – formerly known as BroadWin Access – is a SCADA manager used in manufacturing, energy, and government facilities, getting the patched version would be a good idea.

Advantech has published Version 8.1_20160519 of WebAccess here. ®