R7-2015-26: Advantech EKI Dropbear Authentication Bypass (CVE-2015-7938)

While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01 advisory, it became clear that the Dropbear SSH daemon did not enforce authentication, and a possible backdoor account was discovered in the product.  All results are from analyzing and running firmware version 1322_D1.98, which was released in response to the ICS-CERT advisory.

This issue was discovered and disclosed as part of research resulting in Rapid7's disclosure of R7-2015-25, involving a number of known vulnerabilities present in the Advantech firmware. Given that CVE-2015-7938 represents a new vulnerability, however, it was held back until January, 2016.

 

Product Description

The Advantech EKI series products are Modbus gateways used to connect serial devices to TCP/IP networks. They are typically found in industrial control environments. The firmware analyzed is specific to the EKI-1322 GPRS (General Packet Radio Service) IP gateway device, but given the scope of ICSA-15-309-01, it is presumed these issues are present on other EKI products.

 

Credit

This issue was discovered by HD Moore of Rapid7, Inc.

 

Details

As of the 1.98 version of the firmware, The Dropbear daemon included had been heavily modified. As a result, it does not actually enforce authentication. During testing, any user is able to able to bypass authentication by using any public key and password.

 

In addition, there may be a backdoor hardcoded into this version of the binary as well, using the username and password of "remote_debug_please:remote_debug_please", as shown in the partial firmware analysis below:

 

.text:000294F8                 ADD     R0, R0, #0x2C   ; haystack
.text:000294FC                 LDR     R1, =aRemote_debug_p ; "remote_debug_please"
.text:00029500                 LDR     R3, =strstr

 

Note that it is unconfirmed if this backdoor account is reachable on a production device by an otherwise unauthenticated attacker; its presence was merely noted during binary analysis, and the vendor has not acknowledged the purpose or existence of this account.

 

Mitigations

The authentication bypass issue is resolved in EKI-1322_D2.00_FW, available from the vendor's website as of December 30, 2015. Customers are urged to install this firmware at their earliest opportunity.

In the event that firmware cannot be installed, users of these devices should ensure that sufficient network segmentation is in place, and only trusted users and devices are able to communicate to the EKI-123* device.

 

Disclosure Timeline

This issue was disclosed via Rapid7's usual disclosure policy.

 

• Wed, Nov 11, 2015: Initial contact to vendor
• Tue, Dec 01, 2015: R7-2015-25.4 disclosed to CERT
• Tue, Dec 01, 2015: VU#352776 assigned by CERT
• Wed, Dec 09, 2015: Receipt of VU#352776 confirmed by ICS-CERT
• Wed, Dec 30, 2015: EKI-1322_D2.00_FW released by the vendor
• Tue, Jan 05, 2016: Bulletin ICSA-15-344-01 updated by ICS-CERT
• Fri, Jan 15, 2016: R7-2015-26 publicly disclosed by Rapid7