Nearly two dozen security vulnerabilities have been discovered in Advantech EKI industrial-grade wireless devices, some of which could be weapons for bypassing authentication and executing code with elevated privileges.
“These vulnerabilities pose a significant risk by allowing unauthenticated remote code execution with root privileges, thereby completely compromising the privacy, integrity, and availability of affected devices,” said cybersecurity firm Nozomi Networks. said in the analysis on Wednesday.
After responsible disclosure, the vulnerabilities were fixed in the following firmware versions:
- 1.6.5 (for EKI-6333AC-2G and EKI-6333AC-2GD)
- 1.2.2 (for EKI-6333AC-1GPO)
Six of the 20 vulnerabilities identified were deemed critical, allowing an attacker to gain permanent access to internal resources by implanting a backdoor, cause a denial of service (DoS) condition, and even re-profile infected endpoints to Linux workstations to enable lateral movement and further network penetration.
Of the six critical flaws, five (CVE-2024-50370 to CVE-2024-50374, CVSS score: 9.8) relate to improper neutralization of special elements used in an operating system (OS) command, while CVE-2024- 50375 ( CVSS Score: 9.8 ) concerns a case of missing authentication for a critical function.
Also of note is CVE-2024-50376 (CVSS score: 7.3), a cross-site scripting flaw that may be related to CVE-2024-50359 (CVSS score: 7.2), another instance of OS command injection that in another case would require authentication to achieve arbitrary code execution over the air.
However, for this attack to be successful, the external malicious user must be in physical proximity to the Advantech access point and broadcast a fake access point.
The attack is activated when an administrator visits the “Wi-Fi Analyzer” section of the web application, which causes the page to automatically embed information obtained through beacon frames transmitted by the attacker without any sanitization checks.
“One such piece of information that an attacker can broadcast through their fake access point is the SSID (commonly called ‘Wi-Fi network name’),” Nozomi Networks said. “Thus, an attacker could inject a JavaScript payload as the SSID for their fake access point and exploit CVE-2024-50376 to cause a cross-site scripting (XSS) vulnerability in a web application.”
The result is the execution of arbitrary JavaScript code in the context of the victim’s web browser, which can then be combined with CVE-2024-50359 to achieve an OS-level command injection with root privileges. This can take the form of a reverse shell that provides persistent remote access to the threat actor.
“This will allow attackers to gain remote control of a compromised device, execute commands, and further infiltrate the network by extracting data or deploying additional malicious scripts,” the company said.
