1. Introduction
The Advantech / BroadWin WebAccess Client ‘bwocxrun.ocx’ ActiveX control is vulnerable to multiple remote vulnerabilities, including format string and memory corruption issues. This affects Windows systems using this software, potentially allowing an attacker to execute arbitrary code on the host machine by tricking a user into visiting a malicious web page. Successful exploitation could compromise confidentiality, integrity, and availability of affected systems.
2. Technical Explanation
The Advantech / BroadWin WebAccess Client ActiveX control (bwocxrun.ocx) contains flaws that allow for remote code execution. An attacker can exploit these vulnerabilities by crafting a specially designed web page containing malicious input, which when processed by the vulnerable control, allows them to execute arbitrary code in the context of the application. The vulnerability requires user interaction to visit the crafted webpage.
- Root cause: Multiple memory corruption and format string vulnerabilities exist within the bwocxrun.ocx ActiveX control due to improper handling of input data.
- Exploit mechanism: An attacker creates a malicious HTML page containing code that exploits the vulnerabilities in the ActiveX control. When a user visits this page with a vulnerable browser, the exploit is triggered.
- Scope: Windows systems with the Advantech / BroadWin WebAccess Client installed are affected.
3. Detection and Assessment
To confirm vulnerability, check for the presence of the affected control and its version. Scanning tools can also help identify vulnerable instances.
- Quick checks: Check for the existence of ‘bwocxrun.ocx’ in
C:WindowsSystem32orC:WindowsSysWOW64. - Scanning: Nessus vulnerability ID d44f6112 can be used to detect this issue, but results should be verified.
- Logs and evidence: Look for unusual activity related to the bwocxrun.ocx process in Windows Event Logs, particularly application crashes or errors.
reg query "HKLMSOFTWAREAdvantech" /v WebAccessClient
4. Solution / Remediation Steps
Remove the software or disable the affected control to mitigate this vulnerability. Prioritize removal as the preferred solution.
4.1 Preparation
- A change window may be required depending on your organisation’s policies, and approval should be sought from relevant IT teams.
4.2 Implementation
- Step 1: Uninstall the Advantech / BroadWin WebAccess Client software through Control Panel > Programs and Features.
- Step 2: If uninstallation is not possible, set the kill bit for the affected control using regsvr32.exe. Open an elevated command prompt and run
regsvr32 /u bwocxrun.ocxto disable it.
4.3 Config or Code Example
Before
The bwocxrun.ocx control is registered and enabled. Check registry for entries under HKLMSOFTWAREClassesCLSID{...}
After
The bwocxrun.ocx control is unregistered. Check registry to confirm the CLSID entry has been removed.
4.4 Security Practices Relevant to This Vulnerability
Implementing least privilege and a robust patch management process can help prevent exploitation of this type of vulnerability.
- Practice 1: Least privilege – limit user accounts’ access rights to reduce the impact if an attacker gains control.
- Practice 2: Patch cadence – Regularly update software to address known vulnerabilities, including ActiveX controls.
4.5 Automation (Optional)
# PowerShell example to uninstall WebAccess Client (example only - test thoroughly!)
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*WebAccessClient*"} | Uninstall
5. Verification / Validation
Confirm the fix by verifying the software is uninstalled or the control is disabled, and re-running detection methods to confirm the vulnerability no longer exists. Perform a basic service smoke test to ensure functionality isn’t impacted.
- Post-fix check: Verify that ‘bwocxrun.ocx’ is no longer present in
C:WindowsSystem32orC:WindowsSysWOW64, and the registry entry for the control has been removed. - Re-test: Run the earlier `reg query` command to confirm that the WebAccess Client registry key is absent.
- Monitoring: Monitor Windows Event Logs for errors related to missing ActiveX controls if functionality has been impacted.
reg query "HKLMSOFTWAREAdvantech" /v WebAccessClient (should return no results)
6. Preventive Measures and Monitoring
Update security baselines, implement application whitelisting, and maintain a regular patch management cycle to prevent similar vulnerabilities in the future.
- Baselines: Update your Windows baseline configuration to disallow or restrict installation of unnecessary ActiveX controls.
- Asset and patch process: Implement a regular patch review cycle for all software, including third-party applications like the WebAccess Client.
7. Risks, Side Effects, and Roll Back
Removing the WebAccess Client may impact applications that rely on it. Ensure you have a backup to restore if needed.
- Risk or side effect 2: Disabling the control might cause compatibility issues with older systems.
- Roll back: Restore from backup if removal causes unexpected issues. If only disabled, re-register the control using `regsvr32 bwocxrun.ocx`.
8. References and Resources
- Vendor advisory or bulletin: http://aluigi.altervista.org/adv/bwocxrun_1-adv.txt
- NVD or CVE entry: Not available in provided context.
- Product or platform documentation relevant to the fix: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-11-245-01