Dropbear SSH daemon doesn't authenticate users

News by Danielle Correa

A critical authentication bug has been discovered in Advantech's EKI series of Modbus-to-TCP/IP gateways.

A critical authentication bug has been discovered in Advantech's EKI series of Modbus-to-TCP/IP gateways.

HD Moore, chief research officer of Rapid7, found that the EKI's Dropbear SSH daemon is not authenticating users. According to Moore, users are able to authenticate using any public key and password.

Moore said in his blog, “While looking into the SSH key issue outlined in the ICS-CERT ISCA-15-309-01 advisory, it became clear that the Dropbear SSH daemon did not enforce authentication, and a possible backdoor account was discovered in the product. All results are from analysing and running firmware version 1322_D1.98, which was released in response to the ICS-CERT advisory.”

There may also be a backdoor hardcoded into the 1.98 version of the firmware, but it has not been confirmed as reachable on a device by an unauthenticated attacker.

Advantech has patched the authentication bypass issue in EKI-1322_D2.00_FW, available on its site. Users are advised to install the firmware as soon as they are able to do so. 

Topics:
Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike