A researcher has identified half a dozen vulnerabilities, including ones rated high severity by ICS-CERT, in industrial routers from eWON.
eWON is a Belgium-based company that specializes in industrial VPN routers and remote connectivity solutions designed for connecting industrial machines securely to the Internet. Its products are used in sectors such as transportation, textiles, robotics, water and wastewater, oil and gas, medical, energy, renewable energy, and food and beverage.
According to ICS-CERT, independent researcher Karn Ganeshen identified several vulnerabilities in the firmware running on eWON’s industrial routers. The vendor has released a firmware update to patch some of the flaws and provided mitigation advice for the unpatched issues.
The most serious of the vulnerabilities, with a CVSS score of 9.9 assigned by ICS-CERT, is a user rights management issue (CVE-2015-7926) that can be exploited by an unauthenticated attacker using a forged URL. eWON says the flaw allows an attacker to gather information and status on I/O servers, and change I/O server configuration parameters or delete some users.
Another issue rated high severity is related to the transmission of passwords in clear text (CVE-2015-7928), which allows a man-in-the-middle (MitM) attacker to intercept the information. Furthermore, some pages in the eWON web application, such as the user setup page, include an autocomplete feature that exposes passwords.
Ganeshen also identified a cross-site request forgery (CSRF) vulnerability that can be exploited to perform actions on a targeted user’s behalf (CVE-2015-7925). In theory, an attacker who can trick the victim into triggering a malicious request can execute firmware updates, reboot the device, or delete device configuration, but eWON noted in its own advisory that several requirements have to be met for an attack to work.
A stored cross-site scripting (XSS) issue has been found in the web application’s configuration fields, but eWON doesn’t see it as a real threat since it claims an attack can only be conducted by a user that has administrative privileges and who can get configuration changes right.
The expert also reported finding a weak session management issue that causes the session to remain active even after the user clicks the “log off” button. The session is only invalidated after the browser is closed.
The least serious issue is related to the fact that the web server allows the replacement of the POST method with the GET method in a request. The problem is that GET exposes information in the URL and the weakness could be used in combination with the CSRF vulnerability.
Some of these vulnerabilities affect all eWON devices, while others only impact the Flexy and CD models. The security holes plague eWON firmware versions prior to 10.1s0.
Firmware version 10.1s0 patches the password visibility, the user rights management, and browser session issues. In its advisory, eWON noted that the other vulnerabilities, such as the XSS and CSRF weaknesses, are either difficult to exploit or they don’t pose a serious threat.
The company has advised customers to always connect to eWON products via a secured LAN or VPN.