Holes Filled in Advantech ICS Gateways

Monday, December 7, 2015 @ 06:12 PM gHale

Advantech EKI Modbus gateways designed for connecting serial devices to TCP/IP network-based devices just underwent repairs, researchers said.

The Taiwan-based industrial automation company released new firmware versions for EKI-136X, EKI-132X and EKI-122X products to address a security flaw related to the existence of hardcoded SSH keys (CVE-2015-6476).

SearchBlox Fixes File Exfiltration Issue
Honeywell Fixes Gas Detector Holes
Saia Burgess Controls Fixes Hole
Schneider Fixes ProClima Holes

While analyzing one of the new firmware versions, security firm, Rapid7’s HD Moore discovered it includes version 2.05 of the bash shell, known to be vulnerable to Shellshock attacks.

“This flaw can be exploited through the Boa web server through any of the shell scripts in /www/cgi-bin. The exposure has been successfully exploited on both versions 1.98 and 1.96, tested with the actual binaries in an emulator environment with a Metasploit module submitted as PR #6298,” Rapid7 security research manager Tod Beardsley said in a blog post.

Advantech EKI firmware also includes version 1.0.0e of OpenSSL, which is vulnerable to Heartbleed attacks. The OpenSSL Project will end support for the 1.0.0 version starting January 1.

The DHCP client used by Advantech is also highly outdated and known to contain vulnerabilities, including a high-severity stack-based buffer overflow discovered in 2012.

Beardsley said while none of these flaws are new, the problem is the vulnerable firmware can be on production industrial control systems. He said it is likely other products suffer from the issue eventhough the analyzed firmware is for the EKI-1322 GPRS IP Gateway (EKI-1322_D1.98_FW).

Rapid7 contacted Advantech November 11 and published a Metasploit module on December 1.