Researchers at Nozomi Networks Labs analyzed version 1.6.2 of the EKI-6333AC-2G, an industrial-grade wireless access point, uncovering 20 vulnerabilities, each with a distinct CVE identifier. These vulnerabilities present serious risks, allowing unauthenticated remote code execution with root privileges, which can completely compromise the affected devices’ confidentiality, integrity, and availability.
As industrial networks expand into wireless domains, they encounter new vulnerabilities that endanger critical infrastructure through cyber attacks. This shift underscores the importance of securing wireless devices in industrial settings. Since the introduction of Guardian Air, Nozomi Networks has emphasized the urgent need for enhanced protection, particularly for wireless systems.
Known for its resilience in challenging environments, the Advantech EKI-6333AC-2G device is employed across various sectors, including automobile assembly lines and warehousing and distribution operations within logistics. Designed for challenging environments, the device provides stable, dual-band Wi-Fi connectivity.
Nozomi’s research focused on EKI-6333AC-2 G’s key operational areas, including its connectivity protocols, data handling, and security mechanisms, which are critical to ensuring uninterrupted, secure communication in industrial environments. These areas present potential entry points for hackers at the wired level and within the wireless spectrum.
The researchers found that hackers could execute remote attacks without connecting to the network, leveraging the wireless spectrum for physical proximity attacks. Vulnerabilities can disrupt essential processes such as automated production lines, enable persistent backdoor access, and allow attackers to infiltrate internal networks. Researchers demonstrated how two specific vulnerabilities can be combined to achieve full remote code execution and gain root access on affected devices.
The Advantech devices are used in diverse environments, including manufacturing, logistics, and critical infrastructure, underscoring the widespread implications of these vulnerabilities. Advantech has released new firmware to mitigate these vulnerabilities, and Nozomi Networks encourages immediate updates to protect against unauthorized access.
Several of these vulnerabilities have been evaluated as critical, given that they could lead to remote code execution with root privileges over the access point. This would allow a threat actor to compromise the device’s confidentiality, integrity, and availability.
Two potential attack vectors have been identified. Attack Vector 1 (LAN/WAN) involves scenarios where an attacker can directly interact with the access point via the network. In such cases, they can exploit vulnerabilities by sending malicious requests to the vulnerable service. Attack Vector 2 (Over-the-Air) presents a different scenario where the attacker does not need to be connected to a wired (LAN/WAN) or wireless (WLAN) network. Instead, they can exploit the wireless spectrum to execute code on the device simply by being in close physical proximity.
Given these severity levels, a malicious user could achieve outcomes including persistent access to internal resources, denial of service (DoS); and lateral movement. Once code execution on the device is achieved, a malicious user can implant a backdoor to maintain ongoing access. This setup allows scenarios where initial access is gained through malware infection, such as via email, and persistence is established by compromising the Advantech device.
In situations where a vulnerable access point serves as the backbone network controlling wireless RGVs navigating complex production layouts, the ability to tamper with these critical access points could severely disrupt automation processes on production lines.
Gaining root privileges on the device allows the attacker to transform the access point into a fully functional Linux workstation, providing a new foothold for further exploration and penetration within the network. This can be achieved by conducting ‘man-in-the-middle’ attacks to capture credentials transmitted over unencrypted protocols or by exploiting known vulnerabilities in unpatched devices using publicly available exploits.
While the attacker would already be able to control the device’s settings via its web interface, they could take it a step further by chaining CVE-2024-50359. This vulnerability involves an authenticated command injection that can be activated through the administrative panel, allowing for deeper system manipulation. Since the process responsible for executing the web application runs with root privileges on the Advantech device, no particular restrictions are encountered in the execution of arbitrary commands injected over the device at the operating system level.
One such command could be to allow a persistent connection back to an internet-facing C&C machine to be established through a reverse shell. This would enable attackers to gain remote control over the compromised device, execute commands, and further infiltrate the network, extracting data or deploying additional malicious scripts.
After triage and confirmation of the issues, Advantech released firmware version 1.6.5 for both the EKI-6333AC-2G and EKI-6333AC-2GD, and version 1.2.2 for the EKI-6333AC-1GPO to address the vulnerabilities. The responsible disclosure process revealed that the EKI-6333AC-2GD and EKI-6333AC-1GPO were affected due to shared firmware code. Advantech promptly responded by releasing the updated firmware versions. Researchers urge asset owners to upgrade to these latest versions to safeguard their networks and devices from unauthorized access.
In June, Nozomi researchers outlined the top eleven risks of implementing browser-based HMIs (human machine interface) in controlled OT (operational technology) settings, emphasizing the challenges of a web-centric approach. The analysis wraps up its CVE reservation process, enabling the publication of vulnerabilities found in the AiLux RTU62351B, the final device in their study. Additionally, the Labs shared insights in a white paper that analyzed browser-based HMIs across five devices from high-profile vendors
