Full Report
Nearly two dozen security vulnerabilities have been disclosed in Advantech EKI industrial-grade wireless access point devices, some of which could be weaponized to bypass authentication and execute code with elevated privileges. "These vulnerabilities pose significant risks, allowing unauthenticated remote code execution with root privileges, thereby fully compromising the confidentiality,
Analysis Summary
# Vulnerability: Critical Command Injection and Authentication Bypass in Advantech Industrial Wi-Fi APs
## CVE Details
- CVE ID: CVE-2024-50370 through CVE-2024-50375, CVE-2024-50359, CVE-2024-50376 (Multiple)
- CVSS Score: 9.8 (Critical) for CVE-2024-50370 through CVE-2024-50375. Other scores noted: 7.3 (CVE-2024-50376), 7.2 (CVE-2024-50359).
- CWE: OS Command Injection (CWE-78), Missing Authentication for Critical Function (CWE-306), Cross-Site Scripting (CWE-79).
## Affected Systems
- Products: Advantech EKI industrial-grade wireless access point devices. Specifically mentioned: EKI-6333AC-2G, EKI-6333AC-2GD, EKI-6333AC-1GPO.
- Versions: Prior to specified patch versions.
- Configurations: Some attacks require the external attacker to be in physical proximity and broadcast a rogue access point.
## Vulnerability Description
Approximately two dozen vulnerabilities were found, including six critical flaws leading to unauthenticated remote code execution (RCE) with root privileges, allowing for full compromise of confidentiality, integrity, and availability.
Five critical flaws (CVE-2024-50370 to CVE-2024-50374, CVSS 9.8) relate to improper neutralization of special elements used in an OS command (OS Command Injection). CVE-2024-50375 (CVSS 9.8) involves a missing authentication for a critical function.
A chaining attack exists using CVE-2024-50376 (XSS, CVSS 7.3) and CVE-2024-50359 (unauthenticated OS Command Injection, CVSS 7.2) to achieve arbitrary code execution over-the-air, contingent upon the attacker being physically proximate and broadcasting a rogue AP. This chaining attack is triggered when an administrator visits the "Wi-Fi Analyzer" section of the web interface, which automatically embeds information from the attacker's beacon frames.
## Exploitation
- Status: Potential for exploitation exists, especially for RCE and denial-of-service conditions. The XSS/OS Command Injection chain requires physical proximity and a rogue AP broadcast.
- Complexity: Low for critical RCE/authentication bypass flaws; Medium for the chained over-the-air attack requiring physical proximity condition.
- Attack Vector: Network (for RCE/authentication bypass); Network/Proximity (for chained attack).
## Impact
- Confidentiality: High (Root access allows full compromise).
- Integrity: High (Ability to implant backdoors and execute arbitrary code).
- Availability: High (Ability to trigger Denial-of-Service conditions).
## Remediation
### Patches
The following firmware versions address the disclosed vulnerabilities:
- **1.6.5** (for EKI-6333AC-2G and EKI-6333AC-2GD)
- **1.2.2** (for EKI-6333AC-1GPO)
### Workarounds
- The article does not explicitly list workarounds, but mitigation against the proximity-based attack would involve ensuring administrators avoid the "Wi-Fi Analyzer" section if running vulnerable firmware and maintaining physical security around the APs to prevent rogue AP broadcasting.
## Detection
- Detection methods and tools were not specified in detail, but monitoring for C2 traffic or unusual outbound connections originating from these devices should be prioritized post-compromise.
- Indicators of compromise include the presence of persistent backdoors or repurposed endpoints used for lateral movement.
## References
- Vendor advisory (Nozomi Networks): hxxps://www.nozominetworks.com/blog/over-the-air-vulnerabilities-discovered-in-advantech-eki-access-points
- News article: hxxps://thehackernews.com/2024/11/over-two-dozen-flaws-identified-in.html