Over-the-air vulnerabilities discovered in Advantech EKI access points

As industrial networks expand into wireless domains, new vulnerabilities are exposing critical infrastructure to potential cyberthreats. With this evolution, safeguarding wireless devices within industrial settings has become essential.

Nozomi Networks Labs recently conducted an analysis of version 1.6.2 of Advantech’s EKI-6333AC-2G industrial-grade wireless access point. Due to its resilience in challenging environments, this device is utilised across diverse sectors, ranging from automotive assembly lines up to warehousing and distribution operations within logistics. However, the analysis identified 20 vulnerabilities, each assigned a unique CVE identifier. These vulnerabilities pose significant risks, allowing unauthenticated remote code execution with root privileges, thereby fully compromising the confidentiality, integrity and availability of the affected devices.

Following the triage and confirmation of these issues, Advantech has released firmware version 1.6.5 to address the vulnerabilities on EKI-6333AC-2G and EKI-6333AC-2GD and firmware version 1.2.2 for EKI-6333AC-1GPO. Through the responsible disclosure process coordinated with Advantech, the EKI-6333AC-2GD and EKI-6333AC-1GPO devices were also confirmed to be impacted by these vulnerabilities due to shared firmware code.

Impacts of the vulnerabilities

Several of these vulnerabilities have been evaluated as critical, given that they could ultimately lead to remote code execution (RCE) with root privileges over the access point. This would allow a threat actor to compromise the device’s confidentiality, integrity and availability. Two possible attack vectors were identified:

• Attack vector 1 (LAN/WAN): In situations where an attacker can interact directly with the access point over the network, they can exploit these vulnerabilities by crafting malicious requests that target the vulnerable service.
• Attack vector 2 (Over-the-air): An additional scenario occurs over the air, where an attacker does not need to be connected to a wired (LAN/WAN) or wireless (WLAN) network. They could exploit the wireless spectrum to execute code on the device simply by being in physical proximity to it.
   

Given these severity levels, a malicious user could achieve the following outcomes:

• Persistent access to internal resources: Once code execution on the device is achieved, malicious users may implant a backdoor to maintain persistent access. This setup could enable scenarios where initial access is gained through malware infection (such as via email), and persistence is established by compromising the Advantech device.
• Denial of Service (DoS): In scenarios where a vulnerable access point serves as the backbone network to control wireless RGVs navigating complex production layouts, the ability to tamper with these critical access points could significantly disrupt automation processes on production lines.
• Lateral movement: Gaining root privileges on the device enables the attacker to repurpose the access point as a fully functional Linux workstation, providing a new foothold for further exploration and penetration within the network. This can be accomplished, for instance, by conducting man-in-the-middle (MITM) attacks to capture credentials transmitted over unencrypted protocols or by exploiting known vulnerabilities in unpatched devices using publicly available exploits.

Remediation

After these vulnerabilities were reported, Advantech promptly addressed them by releasing the following firmware versions:

• EKI-6333AC-2G: v1.6.5
• EKI-6333AC-2GD: v1.6.5
• EKI-6333AC-1GPO: v1.2.2
   

More details can be found here. All asset owners are encouraged to upgrade to this latest version to protect their network and devices from unauthorised access.