Update Critical industrial switches used worldwide for automation contained hard-coded SSH keys that put devices and networks at risk.
Advantech, a Taiwanese distributor, has developed new firmware for its EKI-122x series of products that disables HTTPS and SSH. SSH keys are a means by which computers authenticate one another without the need for a password.
The issue was reported by Neil Smith, an independent security researcehr who has disclosed numerous bugs including this one to the Industrial Control System Cyber Emergency Readiness Team (ICS-CERT).
“The user should be aware that this upgrade will turn off their existing HTTPS and SSH and they will need to reconfigure the device to turn it back on. So if a user is planning on remotely upgrading the device via HTTPS or SSH, they need to be aware that it will come back on without it, and they will need to have a means to securely connect to the device,” Smith told Threatpost.
Advantech said the hard-coded SSH keys were found in:
- EKI-136* product line prior to firmware version 1.27,
- EKI-132* product line prior to firmware version 1.98, and
- EKI-122*-BE product line prior to firmware version 1.65.
ICS-CERT published an advisory warning that the issue could be exploited remotely.
“An attacker who exploits this vulnerability may be able to intercept communications to and from this device,” ICS-CERT said in its advisory, adding that it is not aware of public exploits.
The patched firmware has been available for a couple of weeks, ICS-CERT said.
“For the EKI‑122*-BE (v1.65) and EKI-136* (v1.27) product lines, HTTPS and SSH is disabled. For the EKI‑132* (v1.98) product line, additional configurations were added to allow customization for the HTTPS and SSH keys,” the advisory said.
This story was updated Nov. 13 to correct Neil Smith’s affiliation and add a comment.