A critical authentication bug has been discovered in Advantech's EKI series of Modbus-to-TCP/IP gateways.
HD Moore, chief research officer of Rapid7, found that the EKI's Dropbear SSH daemon is not authenticating users. According to Moore, users are able to authenticate using any public key and password.
Moore said in his blog, “While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01 advisory, it became clear that the Dropbear SSH daemon did not enforce authentication, and a possible backdoor account was discovered in the product. All results are from analysing and running firmware version 1322_D1.98, which was released in response to the ICS-CERT advisory.”
There may also be a backdoor hardcoded into the 1.98 version of the firmware, but it has not been confirmed as reachable on a device by an unauthenticated attacker.
Advantech has patched the authentication bypass issue in EKI-1322_D2.00_FW, available on its site. Users are advised to install the firmware as soon as they are able to do so.