New RCE and other vulnerabilities: Aside from all the known vulnerabilities from open-source components, the Forescout researchers also performed manual security analysis and identified previously unknown flaws in the firmware of three specific devices from two vendors: Lantronix EDS3000PS Series, Lantronix EDS5000 Series, and Silex SD330-AC.The web-based management interface of the Lantronix EDS5000 had five flaws in multiple pages and fields caused by missing input sanitization that could lead to remote code execution as root. The Lantronix EDS3000PS had one RCE, an authentication bypass issue and a device takeover flaw where the password change feature did not ask for the old password, potentially allowing attackers to change the password for the administrator account.While the Lantronix flaws were all in the web interface, some of the 12 vulnerabilities found in the Silex SD-330AC were in various network services, exploitable via UDP packets. In total the researchers found three new RCE flaws, an authentication bypass, an arbitrary file upload issue that could allow unauthenticated attackers to upload firmware binaries, two device takeover and privilege escalation bugs, two configuration tampering flaws, and other issues that could lead to information disclosure and denial-of-service.In addition, the researchers found that the firmware signing key may be obtainable by attackers, which could give them the ability to create malicious firmware images. Silex is in the process of remediating this issue.
Mitigation: “As these devices are increasingly deployed to connect legacy serial equipment to IP networks, vendors and end-users should treat their security implications as a core operational requirement,” the Forescout researchers said.Both Lantronix and Silex already released firmware updates to address the reported flaws: SD-330AC Firmware version 1.50, EDS5000 series version 2.2.0.0R1, and EDS3000 series version 3.2.0.0R2.In addition to patching, Forescout recommends:
Replacing default credentials and prohibiting weak passwords to reduce the risk of exploiting authenticated vulnerabilitiesSegmenting networks to prevent threat actors from reaching vulnerable serial-to-IP converters or using those devices to compromise other critical assetsEnsuring they are not exposed to the internetImplementing strict access controls for management interfaces (such as the Web UI) so only preapproved management workstations can access themUsing dedicated subnetworks or VLANs where they are only allowed to communicate with the serial devices they manage and the IP-side devices that should have access to that serial dataMonitoring for exploitation attempts on serial-to-IP converters and for unusual communication patterns that suggest an attacker is targeting data read from, or sent to, the serial link
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4162289/riddled-with-flaws-serial-to-ethernet-converters-endanger-critical-infrastructure.html
