A vulnerability in Advantech’s EKI-1322 serial device server would allow any user to bypass authentication by using any public key and password.
Exploitation of the flaw could allow an attacker to execute arbitrary code, to obtain private keys, or to impersonate the authenticated user and perform a man-in-the-middle attack.
The Advantech EKI series products are Modbus gateways used to connect serial devices to TCP/IP networks. They are typically found in industrial control environments, and are deployed in industrial automation globally. They can be integral parts of the networks that run critical infrastructure.
The Rapid7 team found that the heavily modified Dropbear SSH daemon used in the 1.98 version of the firmware did not enforce authentication.
In addition, there may be a backdoor hardcoded into this version of the binary as well, using the username and password of "remote_debug_please:remote_debug_please.”
“Note that it is unconfirmed if this backdoor account is reachable on a production device by an otherwise unauthenticated attacker,” the researchers said in an advisory. “Its presence was merely noted during binary analysis, and the vendor has not acknowledged the purpose or existence of this account.”
Fortunately, the issue is resolved in EKI-1322_D2.00_FW. In the event that firmware cannot be installed, Rapid7 recommends that users of these devices should ensure that sufficient network segmentation is in place, and that only trusted users and devices are able to communicate to the EKI-123 device.
This is the latest vulnerability in the product; earlier, ICS-CERT warned that the routers are vulnerable to the Shellshock flaw, unless updated.
Photo © Mclek