Researchers at security firm Rapid7 discovered that the latest firmware version for some Advantech EKI products is plagued by several known vulnerabilities.
Advantech EKI are Modbus gateways designed for connecting serial devices to TCP/IP network-based devices in industrial control environments.
The Taiwan-based industrial automation company recently released new firmware versions for EKI-136X, EKI-132X and EKI-122X products to address a security flaw related to the existence of hardcoded SSH keys (CVE-2015-6476).
While analyzing one of the new firmware versions, Rapid7’s HD Moore discovered that it includes version 2.05 of the bash shell, which is known to be vulnerable to Shellshock attacks.
“This flaw can be exploited through the Boa web server through any of the shell scripts in /www/cgi-bin. The exposure has been successfully exploited on both versions 1.98 and 1.96, tested with the actual binaries in an emulator environment with a Metasploit module submitted as PR #6298,” Rapid7 security research manager Tod Beardsley wrote in an advisory.
In addition, the Advantech EKI firmware also includes version 1.0.0e of OpenSSL, which is vulnerable to Heartbleed attacks. The OpenSSL Project will end support for the 1.0.0 version starting with January 1, 2016.
The DHCP client used by Advantech is also highly outdated and known to contain vulnerabilities, including a high-severity stack-based buffer overflow discovered in 2012.
Beardsley has pointed out that while none of these flaws are new, the problem is that the vulnerable firmware can be found on production industrial control systems. The expert also noted that while the analyzed firmware is for the EKI-1322 GPRS IP Gateway (EKI-1322_D1.98_FW), it’s likely that other products are affected as well.
Rapid7 contacted Advantech on November 11 and published a Metasploit module on December 1. Advantech has not responded to SecurityWeek’s request for comment by the time of publication.
This is the third time someone has found vulnerabilities in Advantech’s Modbus gateways. In February, the vendor patched a serious flaw that could have been exploited by remote attackers to execute arbitrary code.
In September, a researcher disclosed a total of seven zero-day vulnerabilities affecting Advantech’s WebAccess HMI/SCADA product. The security holes were reported to the company in December 2014.
Over the past five years, ICS-CERT has published 15 advisories describing vulnerabilities in Advantech products. The organization reported last year that WebAccess was one of the ICS products targeted in a campaign involving a variant of the BlackEnergy malware.
