Last updated at Fri, 10 May 2019 17:14:27 GMT

Advantech EKI Multiple Known Vulnerabilities

While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01 advisory, a number of additional security issues were discovered with the product. All results are from analyzing and running firmware version 1322_D1.98, which was released in response to the ICS-CERT advisory.

Product Summary

The Advantech EKI series products are Modbus gateways used to connect serial devices to TCP/IP networks. They are typically found in industrial control environments. The firmware analyzed is specific to the EKI-1322 GPRS (General Packet Radio Service) IP gateway device, but given the scope of ICSA-15-309-01, it is presumed these issues are present on other EKI products.

Credit

HD Moore of Rapid7, Inc.

Details

The following three issues were discovered by examining the available firmware for the EKI devices.

R7-2015-25.1: Shellshock

The product includes the bash shell, version 2.05. This version is vulnerable to the Shellshock vulnerability. This flaw can be exploited through the Boa web server through any of the shell scripts in /www/cgi-bin. The exposure has been successfully exploited on both versions 1.98 and 1.96, tested with the actual binaries in an emulator environment with a Metasploit module submitted as PR #6298.

R7-2015-25.2: Heartbleed

The product includes OpenSSL version 1.0.0e, which is vulnerable to the Heartbleed vulnerability as well as a number of other issues. This should be exploitable via the Boa HTTP daemon.

R7-2015-25.3: DHCP Stack-based Buffer Overflow

The DHCP client is version 1.3.20-pl0, which appears to be vulnerable to a number of known issues, including CVE-2012-2152.

Mitigations

All three issues require an update from the vendor in order to update the shipping software to versions patched against the named issues. End users of these devices are advised to ensure that these devices are not reachable by untrusted networks such as the Internet.

Disclosure Timeline

These issues are not newly discovered vulnerabilities, but rather known vulnerabilities that are shipping on production industrial control systems today.