Advantech EKI Multiple Known Vulnerabilities
While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01 advisory, a number of additional security issues were discovered with the product. All results are from analyzing and running firmware version 1322_D1.98, which was released in response to the ICS-CERT advisory.
The Advantech EKI series products are Modbus gateways used to connect serial devices to TCP/IP networks. They are typically found in industrial control environments. The firmware analyzed is specific to the EKI-1322 GPRS (General Packet Radio Service) IP gateway device, but given the scope of ICSA-15-309-01, it is presumed these issues are present on other EKI products.
HD Moore of Rapid7, Inc.
The following three issues were discovered by examining the available firmware for the EKI devices.
The product includes the bash shell, version 2.05. This version is vulnerable to the Shellshock vulnerability. This flaw can be exploited through the Boa web server through any of the shell scripts in /www/cgi-bin. The exposure has been successfully exploited on both versions 1.98 and 1.96, tested with the actual binaries in an emulator environment with a Metasploit module submitted as PR #6298.
The product includes OpenSSL version 1.0.0e, which is vulnerable to the Heartbleed vulnerability as well as a number of other issues. This should be exploitable via the Boa HTTP daemon.
R7-2015-25.3: DHCP Stack-based Buffer Overflow
The DHCP client is version 1.3.20-pl0, which appears to be vulnerable to a number of known issues, including CVE-2012-2152.
All three issues require an update from the vendor in order to update the shipping software to versions patched against the named issues. End users of these devices are advised to ensure that these devices are not reachable by untrusted networks such as the Internet.
These issues are not newly discovered vulnerabilities, but rather known vulnerabilities that are shipping on production industrial control systems today.
- Wed, Nov 11, 2015: Initial contact to vendor
- Tue, Dec 01, 2015: Public disclosure and Metasploit module published.