Researchers have uncovered yet another issue–and potential backdoor–in Advantech’s beleaguered EKI-1322 serial device server.
The Dropbear SSH daemon associated with the server, because of heavy modifications, fails to enforce authentication. This makes it so any user who wants to bypass authentication can do so with a public key and password. Dropbear is a more lightweight SSH server/client.
Rapid7’s Chief Research Officer HD Moore discovered the vulnerability while looking at firmware version 1322_D1.98, a build that was released after a hard-coded SSH key vulnerability surfaced in the EKI-122X series of products last November.
The potential backdoor stems from a username and password combination that Moore discovered during firmware analysis: “remote_debug_please:remote_debug_please.” According to Rapid7, “its presence was merely noted during binary analysis,” something that suggests there may be a backdoor hardcoded into the version.
The firm claims it is unclear whether the backdoor is reachable on a production device by an unauthenticated attacker.
Rapid7 pointed the bypass authentication issue out to Advantech on Nov. 11 and the company remedied the vulnerability with an update, EKI-1322_D2.00_FW, which it pushed on Dec. 30. The company has yet to address the purpose or existence of the account that may be associated with the backdoor however.
The EKI series of products are Modbus gateways which connect serial devices to TCP/IP networks, usually in ICS infrastructures.
In November, an independent researcher discovered that several Advantech EKI switches contained hard-coded SSH keys, something that could made it easy for an attacker to intercept communications to and from the devices. The Taiwanese company released new firmware to fix the issue, but it wouldn’t be long until another problem popped up in the products.
Researchers with Rapid 7 pointed out in early December that EKI-1322 was still vulnerable to Shellshock and Heartbleed, bugs that affected machines running Bash, and OpenSSL respectively, in 2014.