### #IndustrialIoT #AccessPointExploits #RemoteCodeExecution
Summary: A series of critical vulnerabilities in Advantech EKI industrial-grade wireless access points could allow attackers to execute remote code with elevated privileges, posing severe risks to device security. These flaws could enable unauthorized access and control over affected devices, leading to potential network infiltration.
Threat Actor: Unknown | unknown
Victim: Advantech EKI users | Advantech EKI users
Key Point :
- Twenty vulnerabilities disclosed, with six critical flaws allowing remote code execution and persistent access.
- Five critical vulnerabilities relate to improper OS command neutralization, while one involves missing authentication for a critical function.
- Exploitation requires physical proximity to the access point and the use of specially crafted data from a rogue access point.
- Attackers can leverage cross-site scripting and command injection to gain root access and control over the device.
- Successful attacks can lead to data extraction and deployment of additional malicious scripts within the network.
Nearly two dozen security vulnerabilities have been disclosed in Advantech EKI industrial-grade wireless access point devices, some of which could be weaponized to bypass authentication and execute code with elevated privileges.
“These vulnerabilities pose significant risks, allowing unauthenticated remote code execution with root privileges, thereby fully compromising the confidentiality, integrity, and availability of the affected devices,” cybersecurity company Nozomi Networks said in a Wednesday analysis.
Following responsible disclosure, the weaknesses have been addressed in the following firmware versions –
- 1.6.5 (for EKI-6333AC-2G and EKI-6333AC-2GD)
- 1.2.2 (for EKI-6333AC-1GPO)
Six of the identified 20 vulnerabilities have been deemed critical, allowing an attacker to obtain persistent access to internal resources by implanting a backdoor, trigger a denial-of-service (DoS) condition, and even repurpose infected endpoints as Linux workstations to enable lateral movement and further network penetration.
Of the six critical flaws, five (from CVE-2024-50370 through CVE-2024-50374, CVSS scores: 9.8) relate to improper neutralization of special elements used in an operating system (OS) command, while CVE-2024-50375 (CVSS score: 9.8) concerns a case of missing authentication for a critical function.
Also of note is CVE-2024-50376 (CVSS score: 7.3), a cross-site scripting flaw that could be chained with CVE-2024-50359 (CVSS score: 7.2), another instance of OS command injection that would otherwise require authentication, to achieve arbitrary code execution over-the-air.
That said, in order for this attack to be successful, it requires the external malicious user to be in physical proximity to the Advantech access point and broadcast specially crafted data from a rogue access point.
The attack gets activated when an administrator visits the “Wi-Fi Analyzer” section in the web application, causing the page to automatically embed information received through beacon frames broadcasted by the attacker without any sanitization checks.
“One such piece of information an attacker could broadcast through its rogue access point is the SSID (commonly referred to as the ‘Wi-Fi network name’),” Nozomi Networks said. “The attacker could therefore insert a JavaScript payload as SSID for its rogue access point and exploit CVE-2024-50376 to trigger a cross-site scripting (XSS) vulnerability inside the web application.”
The result is the execution of arbitrary JavaScript code in the context of the victim’s web browser, which could then be combined with CVE-2024-50359 to achieve command injection at the OS level with root privileges. This could take the form of a reverse shell that provides persistent remote access to the threat actor.
“This would enable attackers to gain remote control over the compromised device, execute commands, and further infiltrate the network, extracting data or deploying additional malicious scripts,” the company said.
Source: https://thehackernews.com/2024/11/over-two-dozen-flaws-identified-in.html