Two critical vulnerabilities have been discovered by a researcher in industrial device servers from Taiwan-based industrial networking solutions provider Lantech. The flaws can be exploited remotely even by an attacker with a low skill level, but the vendor has not released any patches.
According to Lantech, IDS 2102 is a device server designed to convert one RS232/422/485 serial port to two 10/100 Ethernet connections. The device, used worldwide in the critical manufacturing sector, can be managed and configured remotely over the Internet.
The vendor claims the device has several security features, including for protecting the network connection and keeping attackers out. However, researcher Florian Adamsky discovered a couple of critical flaws that can be exploited remotely to execute arbitrary code and compromise the system.
The vulnerabilities have been described as an improper input validation issue (CVE-2018-8869) and a stack-based buffer overflow (CVE-2018-8865) – both with CVSS scores of 9.8.
Improper input validation issues can typically be exploited for cross-site scripting (XSS) attacks, SQL injection and command injection. In the case of Lantech IDS 2102 devices, nearly all the input fields in the web interface lack validation.
According to Adamsky, both vulnerabilities can be exploited remotely by an attacker who can gain access to the web interface, which by default has no password set.
Exploiting CVE-2018-8869 allows an attacker to write arbitrary data to the device’s main configuration file located at /etc/com2net.conf.
“The program ser2net reads the configuration file and interprets it. One function called del_ip_proceeded_0 tries to ensure that the input is a valid IP address. However, they use strcpy to copy the string and here you have a classical stack-based buffer overflow,” Adamsky told SecurityWeek.
The researcher says an attacker can leverage the first vulnerability to write exploit code to the configuration file and the code gets executed when the file is read by the Ser2net component.
Adamsky says it’s difficult to tell how many devices are exposed to remote attacks from the Internet due to the fact that Lantech uses Linux with default services.
The vulnerabilities affect Lantech IDS 2102 running version 2.0 and prior of the firmware. According to an advisory published by ICS-CERT last week, Lantech has not responded to attempts by the National Cybersecurity and Communications Integration Center (NCCIC) to report the security holes.
Contacted by SecurityWeek, Lantech said the IDS-2102 product has been phased out since January 2018.
Vulnerabilities in industrial serial-to-ethernet converters
Adamsky and Thomas Engel of the University of Luxembourg’s SECAN-Lab have been analyzing industrial serial-to-ethernet converters, which are often used in critical infrastructure, including power plants, water treatment facilities, and chemical plants. In the 2015 attack on Ukraine’s power grid, which resulted in significant blackouts, hackers targeted these types of devices in an effort to make them inoperable.
In November 2017, ICS-CERT published an advisory describing several high severity vulnerabilities found by the researchers as part of this project in Moxa NPort serial device servers. Unlike Lantech, however, Moxa released firmware updates to patch the flaws.
“So far, we have investigated three common serial-to-ethernet converters and found serious security vulnerabilities in each of them,” Adamsky told SecurityWeek. “These devices are normally not cheap (nearly all of them cost > $100) but there is nearly no software quality.”
“At least Moxa fixed the security vulnerabilities. In case of Lantech, they are not interested in fixing these bugs at all. This is very dangerous, especially for providers of critical infrastructure,” he added.
*Updated with clarifications from Lantech
Related: Serious Flaw Exposes Siemens Industrial Switches to Attacks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
