CVE-2020-16213

Vulnerability

CVE-2020-16213 is an out-of-bounds write vulnerability (CWE-787) in Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. The flaw occurs during the parsing of specially crafted Project Model 3 (PM3) project files. The software lacks proper validation of user-supplied data, which can result in writing data past the end of an allocated buffer [1], [2].

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a malicious PM3 project file. Remote exploitation is possible if the target visits a malicious page or opens a malicious file via email. No authentication is required, and the attack complexity is low. The user must interact with the crafted file, making it a user-assisted attack [1], [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the current process (the HMI Designer application). This can lead to remote code execution, disclosure or modification of information, or cause the application to crash. The CVSS v3 base score is 7.8, with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [1], [2].

Mitigation

Advantech has released an update to address the vulnerability. The fixed version is WebAccess HMI Designer 2.1.9.32, according to the CISA advisory. Users should update to this or a later version. There are no known workarounds. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].