Rapid7 will disclose a vulnerability in Advantech’s EKI-1322 serial device server. The team found that the Dropbear SSH daemon did not enforce authentication, and a possible backdoor account was discovered in the product. Due to heavy modifications of the Dropbear daemon, it does not actually enforce authentication, and allows any user to bypass authentication by using any public key and password.
But there’s good news: The authentication bypass issue is resolved in EKI-1322_D2.00_FW, which was made available from the vendor’s website as of December 30, 2015.
[su_note note_color=”#ffffcc” text_color=”#00000″]Team at Rapid7 :
R7-2015-26: Advantech EKI Dropbear Authentication Bypass (CVE-2015-7938)
While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01
This issue was discovered and disclosed as part of research resulting in Rapid7’s disclosure of [R7-2015-24], involving a number of known vulnerabilities present in the Advantech firmware. Given that CVE-2015-7938 represents a new , however, it was held back until January, 2016.
Product Description
The Advantech EKI series products are Modbus gateways used to connect serial devices to TCP/IP networks. They are typically found in industrial control environments. The firmware analyzed is specific to the EKI-1322 GPRS (General Packet Radio Service) IP gateway device, but given the scope of ICSA-15-309-01, it is presumed these issues are present on other EKI products.
Credit
This issue was discovered by HD Moore of Rapid7, Inc.
Details
As of the 1.98 version of the firmware, The Dropbear daemon included had been heavily modified. As a result, it does not actually enforce authentication. During testing, any user is able to able to bypass authentication by using any public key and password.
In addition, there may be a backdoor hardcoded into this version of the binary as well, using the username and password of “remote_debug_please:remote_
Note that it is unconfirmed if this backdoor account is reachable on a production device by an otherwise unauthenticated attacker; its presence was merely noted during binary analysis, and the vendor has not acknowledged the purpose or existence of this account.
Mitigations
The authentication bypass issue is resolved in EKI-1322_D2.00_FW, available from the vendor’s website as of December 30, 2015. Customers are urged to install this firmware at their earliest opportunity.
In the event that firmware cannot be installed, users of these devices should ensure that sufficient network segmentation is in place, and only trusted users and devices are able to communicate to the EKI-123* device.
Disclosure Timeline
This issue was disclosed via Rapid7’s usual disclosure policy.
- Wed, Nov 11, 2015: Initial contact to vendor
- Tue, Dec 01, 2015: R7-2015-25.4 disclosed to CERT
- Tue, Dec 01, 2015: VU#352776 assigned by CERT
- Wed, Dec 09, 2015: Receipt of VU#352776 confirmed by ICS-CERT
- Wed, Dec 30, 2015: EKI-1322_D2.00_FW
released by the vendor - Tue, Jan 05, 2016: Bulletin ICSA-15-344-01
updated by ICS-CERT - Fri, Jan 15, 2016: R7-2015-26 publicly disclosed by Rapid7 (planned)
[/su_note]
[su_box title=”About Rapid7″ style=”noise” box_color=”#336588″]
Rapid7 security data and analytics software and services help organizations reduce the risk of a breach, detect and investigate attacks, and build effective IT security programs. With comprehensive real-time data collection, advanced correlation, and insight into attacker techniques, Rapid7 strengthens an organization’s ability to defend against everything from opportunistic drive-by attacks to advanced threats. Unlike traditional vulnerability management and incident detection technologies, Rapid7 provides visibility, monitoring, and insight across assets and users from the endpoint to the cloud. Dedicated to solving the toughest security challenges, Rapid7 offers proprietary capabilities to spot intruders leveraging today’s #1 attack vector: compromised credentials. Rapid7 is trusted by more than 3,700 organizations across 90 countries, including 30% of the Fortune 1000.[/su_box]
