AzeoTech DAQFactory

Vulnerability

CVE-2021-42706 is a heap-based buffer overflow vulnerability (CWE-122) in Advantech WebAccess HMI Designer versions prior to 2.1.11.0 [1]. The flaw resides in the project file parsing mechanism; when the application opens a maliciously crafted project file, it can cause a heap-based buffer overflow [1].

Exploitation

An attacker must convince a victim to open a specially crafted project file using WebAccess HMI Designer [1]. No authentication is required, but user interaction is necessary. The attacker can deliver the malicious file via email, a web download, or other means. Once the victim opens the file, the parsing code triggers the vulnerability [1].

Impact

Successful exploitation allows an attacker to achieve arbitrary code execution with the privileges of the logged-in user [1]. This could lead to full compromise of the affected system, including information disclosure, data modification, and potential escalation of privileges [1]. The CVSS v3.1 base score is 7.8, indicating high severity [1].

Mitigation

Advantech has released version 2.1.11.0 of WebAccess HMI Designer to address CVE-2021-42706 [1]. Users should update to this version or later immediately. No workarounds are mentioned in the advisory [1]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication [1].