CVE-2020-16217

Vulnerability

A double-free vulnerability exists in Advantech WebAccess HMI Designer versions 2.1.9.31 and prior [1]. The flaw resides in the parsing of specially crafted PM3 project files; the code does not validate the existence of an object before performing further free operations, resulting in a double-free condition [1][2].

Exploitation

An attacker can exploit this vulnerability remotely by convincing a user to open a malicious PM3 project file (e.g., via a malicious webpage or email attachment) [2]. No authentication or special privileges are required on the target system, but user interaction is mandatory [1][2]. The attacker needs to craft a project file that triggers the double-free sequence during parsing.

Impact

Successful exploitation can allow the attacker to execute arbitrary code in the context of the current process (the HMI Designer application) [2]. The vulnerability can also be used to read or modify information, or to crash the application [1]. The CVSS v3 base score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) [2].

Mitigation

Advantech has not yet released a patched version for this specific vulnerability as of the advisory date [1]. Users should apply any available vendor updates when released, and avoid opening untrusted project files. The vendor has published general security guidance and recommends upgrading to a fixed version when it becomes available [1].