Having recently updated its software to combat a vulnerability in the secure shell on a new piece of equipment, Advantech has reportedly opened itself up to new known attacks such as Heartbleed, shellshock and stac-based buffer overflows.
That's according to Tod Beardsley, security engineering manager at Rapid 7, posting on the company blog.
Heartbleed was originally discovered in April 2014. It was a security bug that exploited the transport layer security (TLS) protocol in the OpenSSL cryptography library. Heartbleed is a major bug that affected around half a million of the internet's secure web servers certified by trusted authorities. It allows for theft of passwords, private keys and users' cookies.
Joseph Steinberg, cyber-security entrepreneur wrote, “Some might argue that [heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the internet.”
Shellshock, also known as Bashdoor, is a family of security bugs. Many internet-facing services use bash to process certain requests. Hackers can exploit this by accessing vulnerable versions of bash to execute commands, which can be used to gain unauthorised access to a computer system.
Stack based overflow occurs when a program writes to a memory address on the program's call stack outside of the intended data structure. This can be done as a deliberate attack known as stack smashing.
The attacker will fill the program with data to corrupt it and take control of the running process. This is one of the oldest and more reliable ways to gain unauthorised access to a device.
According to Beardsley, the issues in question are quite easy to avoid and all that was needed was probably an upgrade plus rebuild of the firmware OS. It would seem that in its rush to fix the other vulnerability, this crucial step was forgotten.
“It seems like they forgot to update their base packages when building updates for the last security issue,” he said.
Beardsley was also asked to comment on whether the new features in 1322 could be the reason the vulnerability was discovered in this particular product. He stated, “I don't believe that the v1.98 update changes had anything to do with the outdated library and utility issues. The previous version (v1.96) has these issues as well.”
A spokesperson for Advantech responded to SC's enquiries saying in an email: “Thank you very much for sharing this information. I cannot see it from my location but I can inform you that the issue is recognised by Advantech development team and that a bug fixing firmware release will be ready with urgency. As always Advantech is proud of its reliability and we will do our utmost in solving this issue as soon as possible.”