CVE-2020-16211

Vulnerability

An out-of-bounds read vulnerability exists in Advantech WebAccess HMI Designer versions 2.1.9.31 and prior [1][2]. The flaw resides in the parsing of PM3 project files, where the application fails to properly validate user-supplied data, resulting in a read past the end of an allocated buffer [2]. This CVE (CVE-2020-16211) is one of several buffer-related issues discovered in the same software [1].

Exploitation

Exploitation requires user interaction: the target must open a specially crafted project file (e.g., via a malicious webpage or email attachment) [2]. An attacker with no prior access can leverage this flaw remotely but needs to convince the user to process the malicious file [1][2]. The low skill level to exploit and the local attack vector (AV:L) mean the attacker does not need authenticated access but relies on social engineering [1].

Impact

Successful exploitation results in an out-of-bounds read, leading to disclosure of sensitive information from the application's memory [1][2]. The CVSS v3 base score is 3.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N), indicating low confidentiality impact and no direct impact on integrity or availability [1]. However, this vulnerability can be combined with others (e.g., heap-based buffer overflow) to achieve arbitrary code execution in the context of the current process [2].

Mitigation

Advantech has not released a fix as of the publication date (2020-08-06) [1]. Users are advised to apply defense-in-depth measures, restrict file opening from untrusted sources, and monitor vendor advisories for updated versions. The affected product is legacy; no workaround is available in the references [1][2].