-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2851
                Advantech SUSIAccess Server Vulnerabilities
                              5 December 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Advantech SUSIAccess Server
Publisher:         ICS-CERT
Operating System:  Windows
Impact/Access:     Increased Privileges     -- Console/Physical            
                   Create Arbitrary Files   -- Remote with User Interaction
                   Access Confidential Data -- Remote/Unauthenticated      
Resolution:        Alternate Program
CVE Names:         CVE-2016-9353 CVE-2016-9351 CVE-2016-9349

Original Bulletin: 
   https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04

Comment: Advantech no longer supports SUSIAccess. They have developed 
         WISE-PaaS/RMM to replace it.

- --------------------------BEGIN INCLUDED TEXT--------------------

Advisory (ICSA-16-336-04)

Advantech SUSIAccess Server Vulnerabilities

Original release date: December 01, 2016

Legal Notice 

All information products included in http://ics-cert.us-cert.gov
are provided "as is" for informational purposes only. The Department of 
Homeland Security (DHS) does not provide any warranties of any kind regarding
any information contained within. DHS does not endorse any commercial product
or service, referenced in this product or otherwise. Further dissemination of
this product is governed by the Traffic Light Protocol (TLP) marking in the 
header. For more information about TLP, see http://www.us-cert.gov/tlp/.

OVERVIEW 

Researcher rgod working with Zero Day Initiative (ZDI) has identified
an information disclosure, a directory traversal, and a privilege escalation 
vulnerability in Advantechs SUSIAccess Server. Advantech has produced new 
software to mitigate these vulnerabilities. These vulnerabilities could be 
exploited remotely.

AFFECTED PRODUCTS 

The following SUSIAccess Server versions are affected: 
SUISAccess Server Version 3.0 and prior.

IMPACT 

Successful exploitation of these vulnerabilities may result in file 
manipulation or arbitrary code execution. Impact to individual organizations 
depends on many factors that are unique to each organization. NCCIC/ICS-CERT 
recommends that organizations evaluate the impact of these vulnerabilities 
based on their operational environment, architecture, and product 
implementation.

BACKGROUND 

Advantech is a Taiwan-based company with distribution offices in 21
countries worldwide. The affected product, SUSIAccess Server, is a platform as
a service (PaaS) for cloud and Internet of Things (IoT) devices. According to
Advantech, SUSIAccess Server is deployed across several sectors including 
Commercial Facilities, Critical Manufacturing, Energy, and Government 
Facilities. Advantech estimates that this product is used worldwide.

VULNERABILITY CHARACTERIZATION 

VULNERABILITY OVERVIEW

INFORMATION EXPOSURE[a] 

An attacker could traverse the file system and extract files that can result in 
information disclosure. CVE-2016-9349[b] has been assigned to this 
vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector
string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).[c]

PATH TRAVERSAL[d] 

The directory traversal/file upload error allows an attacker 
to upload and unpack a zip file. CVE-2016-9351[e] has been assigned to this 
vulnerability. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector
string is (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H).[f]

PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS[g] 

The admin password is stored in
the system and is encrypted with a static key hard-coded in the program. 
Attackers could reverse the admin account password for use. CVE-2016-9353[h] has
been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been 
assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).[i]

VULNERABILITY DETAILS EXPLOITABILITY 

These vulnerabilities could be exploited
remotely. EXISTENCE OF EXPLOIT No known public exploits specifically target 
these vulnerabilities. DIFFICULTY An attacker with a low skill would be able 
to exploit these vulnerabilities.

MITIGATION 

Advantech no longer supports SUSIAccess. They have developed 
WISE-PaaS/RMM to replace it. To coordinate the purchase of the new software, 
users should contact Advantech at: 
http://www.advantech.com/contact/inquiryrequestform?subject=price%2band%2bquotation
(link is external) 

ICS-CERT recommends that users take defensive measures to 
minimize the risk of exploitation of these vulnerabilities. Specifically, 
users should: Minimize network exposure for all control system devices and/or
systems, and ensure that they are not accessible from the Internet. Locate 
control system networks and remote devices behind firewalls, and isolate them
from the business network. When remote access is required, use secure methods,
such as Virtual Private Networks (VPNs), recognizing that VPNs may have 
vulnerabilities and should be updated to the most current version available. 

Also recognize that VPN is only as secure as the connected devices. ICS-CERT 
reminds organizations to perform proper impact analysis and risk assessment 
prior to deploying defensive measures. ICS-CERT also provides a section for 
control systems security recommended practices on the ICS-CERT web page. 
Several recommended practices are available for reading and download, 
including Improving Industrial Control Systems Cybersecurity with 
Defense-in-Depth Strategies. Additional mitigation guidance and recommended 
practices are publicly available in the ICS-CERT Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation 
Strategies, that is available for download from the ICS-CERT web site. 
Organizations observing any suspected malicious activity should follow their 
established internal procedures and report their findings to ICS-CERT for 
tracking and correlation against other incidents.

a. 
CWE-200:Information Exposure, 
https://cwe.mitre.org/data/definitions/200.html, web site last accessed 
December 01, 2016. 
b. 
NVD, 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9349, NIST uses this
advisory to create the CVE web site report. This web site will be active 
sometime after publication of this advisory. 
c. 
CVSS Calculator, 
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S..., 
web site last accessed December 01, 2016. 
d. 
CWE-22: Improper Limitation of a
Pathname to a Restricted Directory ('Path Traversal'), 
https://cwe.mitre.org/data/definitions/22.html, web site last accessed 
December 01, 2016. 
e. 
NVD, 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9351, NIST uses this
advisory to create the CVE web site report. This web site will be active 
sometime after publication of this advisory. 
f. 
CVSS Calculator, 
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S..., 
web site last accessed December 01, 2016. 
g. 
CWE-264: Permissions, Privileges,
and Access Controls, https://cwe.mitre.org/data/definitions/264.html, web site
last accessed December 01, 2016. 
h. 
NVD, 
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9353, NIST uses this
advisory to create the CVE web site report. This web site will be active 
sometime after publication of this advisory. 
i. 
CVSS Calculator, 
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S..., 
web site last accessed December 01, 2016.

Contact Information For any questions related to this report, please contact 
ICS-CERT at:

Email: ics-cert@hq.dhs.gov (link sends e-mail) Toll Free: 1-877-776-7585 
International Callers: (208) 526-0900 For industrial control systems security
information and incident reporting: http://ics-cert.us-cert.gov ICS-CERT 
continuously strives to improve its products and services. You can help by 
choosing one of the links below to provide feedback about this product.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWETrFIx+lLeg9Ub1AQinTA//aZ9AFQ34qFKeoAs4d2UwNxgULp0mU1JQ
49XLHYADBiOTjFVCcPneWQ+tzfup8xLfXRVrsDP4xAfcOGuQlqDcWS1Sy15o1i1p
FR09KNB5gbV8OPzdQqiYMn3p0mFJcTapXXoWRVM+qWgc0q9Zd9TzPd6RDK32qOWp
qYUg0p58/05Rm6he5K7/IZR9zbLYz1T24HA2XfbdvzA+q6otQqOW7XKabqGp1IU0
VtsQMJhtU8krFxRfZOv9EIl4Ybae6MdW5+OJsbIXLK+p/JGXvpJ5lsKqdYDf4GBd
Aj1bzysG/6mN6/AzY6fJVLKaH2mC50dPCk3MbLJ5DmTaWG1bn5t9gZlLBf8FMaSb
ZyZ8T2vgzOB651zzoiuOjvhheI0v5alzpfABTxPSILpeVdJjewoxnnJFHD/kXkPl
9qkzb8DMqfocFGyWKyDXdMMpl50fIoode5ymjLIVE/YxoAl7wu0294KO059PeLqk
OYs8VV5Zj3Vfa5JVmV5u3ObizWy6AJhUA/a6pAbcKASvjyP3dLhU3lwO0f3xKS6w
a9ar5kwOt6z1rGESB4BfvStyKUIFN5EC1Iv/lm9xMNOUxYYffx6SssVLPGIvVAwH
mBZy8/C/AE3Vw1TOrJ6AHPSe+axylDjSSGGXCB7/rJkKRLEUb/navkZmrmVBJxYH
rJYFYpnt9FE=
=4pzh
-----END PGP SIGNATURE-----