I got an interesting email this weekend from a reader
yet have permission to use reader’s name, so we’ll just leave it at reader for
the moment), Neil Smith (the researcher who is credited with reporting the vulnerability) about the recent ICS-CERT Advisory on the Advantech EKI-122X series
products that I
discussed last week. The reader Neil had some comments on the mitigation
measures outlined in the Advisory.
The Advisory explained the mitigation measures this way:
“Advantech released new firmware in October 2015 to mitigate this vulnerability. For the EKI‑122* BE (v1.65) and EKI-136* (v1.27) product lines, HTTPS and SSH is disabled. For the EKI‑132* (v1.98) product line, additional configurations were added to allow customization for the HTTPS and SSH keys.”
reader Neil notes that “HTTPS and SSH is disabled” means that
the Advantech is “reverting back to plaintext device configuration by default,
and leaving it up to the end user to configure SSL/SSH with their own keys”.
Since there is no publicly available documentation for these firmware updates, I have no way of knowing if Advantech has made this clear to the users.
It seems to me that this is actually a step backwards (if Advantech has not made this clear) in that, without additional owner/integrator actions, it will be even easier to make unauthorized changes to these Modbus gateways than it was before the update was installed. At least with the original firmware, you had to know the hardcoded password.
In closing his email
the reader Smith wanted me to remind readers
that “if a user updates to the latest firmware, they need to double check these
services are turned back on and make sure their own certs/keys are being used”. [Updated with 'reader' name - 11-9-15, 21:05 CST]