Industrial Wi-Fi Access Points

Nearly two dozen security vulnerabilities have been disclosed in Advantech EKI industrial-grade wireless access point devices, some of which could be weaponized to bypass authentication and execute code with elevated privileges.

"These vulnerabilities pose significant risks, allowing unauthenticated remote code execution with root privileges, thereby fully compromising the confidentiality, integrity, and availability of the affected devices," cybersecurity company Nozomi Networks said in a Wednesday analysis.

Following responsible disclosure, the weaknesses have been addressed in the following firmware versions -

  • 1.6.5 (for EKI-6333AC-2G and EKI-6333AC-2GD)
  • 1.2.2 (for EKI-6333AC-1GPO)
Cybersecurity

Six of the identified 20 vulnerabilities have been deemed critical, allowing an attacker to obtain persistent access to internal resources by implanting a backdoor, trigger a denial-of-service (DoS) condition, and even repurpose infected endpoints as Linux workstations to enable lateral movement and further network penetration.

Of the six critical flaws, five (from CVE-2024-50370 through CVE-2024-50374, CVSS scores: 9.8) relate to improper neutralization of special elements used in an operating system (OS) command, while CVE-2024-50375 (CVSS score: 9.8) concerns a case of missing authentication for a critical function.

Also of note is CVE-2024-50376 (CVSS score: 7.3), a cross-site scripting flaw that could be chained with CVE-2024-50359 (CVSS score: 7.2), another instance of OS command injection that would otherwise require authentication, to achieve arbitrary code execution over-the-air.

That said, in order for this attack to be successful, it requires the external malicious user to be in physical proximity to the Advantech access point and broadcast specially crafted data from a rogue access point.

Industrial Wi-Fi Access Points

The attack gets activated when an administrator visits the "Wi-Fi Analyzer" section in the web application, causing the page to automatically embed information received through beacon frames broadcasted by the attacker without any sanitization checks.

Cybersecurity

"One such piece of information an attacker could broadcast through its rogue access point is the SSID (commonly referred to as the 'Wi-Fi network name')," Nozomi Networks said. "The attacker could therefore insert a JavaScript payload as SSID for its rogue access point and exploit CVE-2024-50376 to trigger a cross-site scripting (XSS) vulnerability inside the web application."

The result is the execution of arbitrary JavaScript code in the context of the victim's web browser, which could then be combined with CVE-2024-50359 to achieve command injection at the OS level with root privileges. This could take the form of a reverse shell that provides persistent remote access to the threat actor.

"This would enable attackers to gain remote control over the compromised device, execute commands, and further infiltrate the network, extracting data or deploying additional malicious scripts," the company said.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.