CVE-2018-8835

Vulnerability

A double free vulnerability (CWE-415) exists in Advantech WebAccess HMI Designer versions 2.1.7.32 and prior [1]. The flaw is triggered when the application processes a specially crafted .pm3 file, leading to a double free condition in memory management routines [1].

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a malicious .pm3 file, typically delivered via email or other social engineering methods [1]. No authentication is required, and the attack can be launched remotely with low skill level [1]. The user interaction is limited to opening the file, after which the double free occurs during parsing [1].

Impact

Successful exploitation allows an attacker to achieve remote code execution in the context of the application [1]. The CVSS v3 base score is 6.3, with a vector string of AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L, indicating low impact on confidentiality, integrity, and availability [1].

Mitigation

As of the advisory publication date (2018-04-25), no patch was available from Advantech [1]. Users are advised to avoid opening untrusted .pm3 files and to follow best practices for handling files from unknown sources [1]. The vendor was working with NCCIC to provide mitigation steps [1].