Twice in the past year, security researchers have found and reported critical vulnerabilities in Modbus gateways built by Advantech that are used to connect serial devices in industrial control environments to IP networks.
Most recently, independent security researcher Neil Smith found hard-coded SSH keys in the Advantech EKI series of devices, while a year ago Core Security experts found buffer overflow and code injection flaws in the same product.
Despite all the eyes on the firmware, it seems two of the biggest bugs ever slipped through the cracks.
Researchers at Rapid7 yesterday disclosed that the EKI-1322 GPRS IP gateway device is vulnerable to both Shellshock and Heartbleed, critical flaws in the bash shell and OpenSSL respectively.
Shellshock and Heartbleed were Internet-wide bugs that in 2014 affected millions of Linux and UNIX machines running the Bash shell or vulnerable versions of the OpenSSL library. Fixes for all versions of Bash on Linux and OpenSSL were quickly pushed out, but as with many major vulnerabilities, users are reliant on vendors to apply patches in a timely fashion. Advantech has fallen short here, not only in its failure to patch two massive vulnerabilities, but in its silence in acknowledging Rapid7’s disclosure, which was made on Nov. 11. A request for comment by Threatpost to a U.S.-based representative of the Taiwan company was not returned in time for publication.
“I’m kind of shaking my head over this because if you go back and look at previous history of vulnerabilities in these devices, another security company did an audit of all the web-facing binaries in January and at the time all the same vulnerabilities that I noted a couple of weeks ago were there as well,”said HD Moore, chief research officer of Rapid7 and creator of Metasploit. “It’s kind of confusing why someone went to all the trouble of reverse engineering the binaries, finding the stack overflows, finding the backdoor and SSH keys and just didn’t bother to check for Shellshock. I’m not sure what happened there but it’s kind of funny that the previous audit had missed the most obvious bugs.”
Rapid7 also found security issues in the product’s DHCP client version 1.3.20-pl0, including a stack-based buffer overflow. Moore, however, said he’s not sure the vulnerability is exploitable, but since the client is so outdated, it’s likely to be vulnerable to other flaws as well.
Exploiting Shellshock, however, figures to be a little more straightforward given the fact that exploits have been public since shortly after the initial disclosures; exploits were also quickly integrated into Metasploit. In this case, however, the risks are likely lessened.
“It’s probably not being targeted in the wild right now because you have to know the specific CGI path to exploit it,” Moore said. “Older devices have a script called ping.sh, but on newer devices they have three or four shell scripts in a particular directory but none of the existing attacks against Shellshock look for those specific CGI-BIN names. Even though they’re exploitable they probably have not been exploited through this bug before.”
In early November, Advantech and ICS-CERT warned of the hard-coded SSH keys found in the firmware of the EKI-122x series; new firmware developed by Advantech addressed the issue by turning off SSH and HTTPs.
“The user should be aware that this upgrade will turn off their existing HTTPS and SSH and they will need to reconfigure the device to turn it back on. So if a user is planning on remotely upgrading the device via HTTPS or SSH, they need to be aware that it will come back on without it, and they will need to have a means to securely connect to the device,” Smith told Threatpost.
Advantech said the hard-coded SSH keys were found in:
- EKI-136* product line prior to firmware version 1.27,
- EKI-132* product line prior to firmware version 1.98, and
- EKI-122*-BE product line prior to firmware version 1.65.
Moore, meanwhile, said that Smith’s work caught his attention and that he dug into the new firmware looking for additions to the SSH BadKeys project he maintains, and led him to discover the additional vulnerabilities.
Moore also said that while he found the OpenSSH configuration and associated private keys, neither are being used on the 132 series he examined. Instead, Moore said the Dropbear SSH client is used instead to generate RSA keys on the fly.
“When the system boots up, there’s a binary called edgserver and that one kicks off all other processes on the system and part of that creates a Dropbear key file on startup,” Moore said. “Both new and old versions create that key on startup. They’re not vulnerable, and the key on the device isn’t being used by anything.”