Advantech released firmware version 1.64 for a Modbus Gateway device on Monday, and with it comes a fix for a buffer overflow vulnerability – identified by researchers with Core Security – that can be exploited remotely by attackers to execute arbitrary code.
In Monday email correspondence, Core Researchers told SCMagazine.com that the vulnerable product – EKI-1221D – is a SCADA device used for industrial communications, and that firmware version 1.61 is the vulnerable version.
The Core Security researchers said that this is a high severity vulnerability because it enables remote code execution, and that all users should update. They added that, as far as they know, there have been no exploitation attempts in the wild.
“This vulnerability is caused by an incorrect manipulation of an input parameter of the file “index.cgi,” according to a Monday post. “When it receives at least 136 characters in the num variable it generates a segmentation fault, which means that it can be exploited in order to execute arbitrary code. The request must be done using the POST method in order to work.”
The post callso noted, “The CGI file may require authentication, and the webserver's config file defines the haymarketwp.wpengine.com root user as the server admin. Taking into account that the root user is hardcoded in the firmware, there is a chance that it could remain unchanged. This user may work for authentication, the username is “root” and the password “ab6TRGT20sY26.””