Advantech is having a rough go of it lately. Last week ICS-CERT released a notice regarding multiple vulnerabilities in its WebAccess product, now its EKI product has issues.
The most recent vulnerabilities come as a result of a security company analyzing a firmware update for the EKI product and they found an authentication bypass vulnerability and a possible backdoor account.
Advantech released firmware in October 2015 to patch a hardcoded SSH key issue affecting the company’s EKI series Modbus gateways, which connect serial devices to TCP/IP devices in industrial control environments.
An analysis of the new firmware by Rapid7 researchers revealed several old vulnerabilities. The Advantech product had been using outdated versions of OpenSSL, GNU Bash and the DHCP client, all of which contained vulnerabilities, such as Heartbleed and Shellshock. The vendor released firmware version 1.98 to address the flaws.
While analyzing version 1.98 for EKI-132x devices, Rapid7’s HD Moore found the Dropbear SSH daemon was not properly enforcing authentication. Dropbear is a small, open source SSH server and client software for embedded systems.
Moore discovered the Dropbear daemon failed to enforce authentication due to some significant changes made in version 1.98 of the EKI firmware. The flaw allows an attacker to bypass authentication using any public key and password, researchers said. The security hole’s case number is CVE-2015-7938 and it has a CVSS v3 score of 9.8.
An analysis of the firmware also revealed a possible backdoor account. Rapid7 discovered a hardcoded username and password, but it’s unclear if the credentials can end up used by an unauthenticated attacker to access a production device. Advantech has not shared any information on the purpose of the account with the researchers.
Advantech resolved the authentication bypass issue on December 30 with the release of firmware version 2.00.
“Customers are urged to install this firmware at their earliest opportunity,” Rapid7 said. “In the event that firmware cannot be installed, users of these devices should ensure that sufficient network segmentation is in place, and only trusted users and devices are able to communicate to the EKI-123* device.”