Serial-to-Ethernet adapters used in industrial, retail, and healthcare environments to link serial devices to TCP/IP networks are riddled with vulnerabilities and outdated open-source components, researchers warn. The flaws enable various attacks scenarios, including taking full control of mission-critical equipment such as remote terminal units, programmable logic controllers, point-of-sale systems, and bedside patient monitors.
In a new study dubbed BRIDGE:BREAK, researchers from cybersecurity firm Forescout analyzed the firmware from five major vendors of serial-to-IP converters and found that each firmware image contained on average 80 open-source software components with almost 2,500 known vulnerabilities in them and 89 publicly available exploits.
In addition, the researchers identified 22 new vulnerabilities in three devices from Lantronix and Silex Technology America with impact ranging from remote code execution to authentication bypass, information disclosure, and denial-of-service.
Search engines such as Shodan show close to 20,000 internet-exposed serial-to-Ethernet converters, though the number of such devices deployed within networks is likely in the millions, as they are used across many industries. But even when they are not directly connected to the internet, attackers can still reach such devices after breaking into internal networks through a variety of other initial access vectors.
Because serial protocols often lack authentication or encryption “attackers may alter serial data received from a sensor as it moves into the IP network,” the researchers said. “For example, changing temperature, pressure, humidity, flow, patient heart rate readings to arbitrary values. Conversely, attackers may modify commands traveling from the IP network to the serial side before they reach an actuator. For example, changing the speed or direction of a servo motor.”
Serial-to-IP converters have been targeted in real-world attacks against critical infrastructure in the past. For example, in a 2015 cyberattack that disrupted power distribution at several power substations in Ukraine, attackers loaded corrupted firmware onto Moxa serial-to-IP converters via the firmware update function.
Then just a few months ago in December, wind and solar farms in Poland were targeted by Russian hackers in a cyberattack that involved resetting the configurations on Moxa NPort serial device servers. The devices were not directly exposed to the internet, but attackers gained access to them after compromising VPN concentrators.
Vulnerable components and lack of firmware hardening
Firmware in devices analyzed by Forescout was running old versions of the Linux kernel as well as other outdated libraries and userspace binaries. In addition, half of the Linux kernel branches observed reached end of life, complicating future updates.
As a result, analyzed firmware images had more than 2,000 known vulnerabilities on average, most located in the Linux kernel itself. The firmware image with the lowest number of flaws still had 210 vulnerabilities. Of course, not all flaws are equal, but on average 68% were low or medium severity, 29% were high severity, and 3% were critical severity.
Because of the old kernel versions used, the anti-exploit mitigations applied at the OS level for binaries were also highly inconsistent. Only 23% of firmware images used stack canaries, a feature that prevents stack smashing exploits; 44% used RELRO (Relocation Read-Only), which prevents attackers from redirecting execution by overriding the Global Offset Table; 67% used PIE (Position Independent Executable), a mechanism that makes Return Oriented Programming (ROP) attacks much harder; and 84% used NX (No-eXecute bit), a feature that marks certain memory stack and heap areas as non-executable to prevent straightforward buffer overflow exploits.
New RCE and other vulnerabilities
Aside from all the known vulnerabilities from open-source components, the Forescout researchers also performed manual security analysis and identified previously unknown flaws in the firmware of three specific devices from two vendors: Lantronix EDS3000PS Series, Lantronix EDS5000 Series, and Silex SD330-AC.
The web-based management interface of the Lantronix EDS5000 had five flaws in multiple pages and fields caused by missing input sanitization that could lead to remote code execution as root. The Lantronix EDS3000PS had one RCE, an authentication bypass issue and a device takeover flaw where the password change feature did not ask for the old password, potentially allowing attackers to change the password for the administrator account.
While the Lantronix flaws were all in the web interface, some of the 12 vulnerabilities found in the Silex SD-330AC were in various network services, exploitable via UDP packets. In total the researchers found three new RCE flaws, an authentication bypass, an arbitrary file upload issue that could allow unauthenticated attackers to upload firmware binaries, two device takeover and privilege escalation bugs, two configuration tampering flaws, and other issues that could lead to information disclosure and denial-of-service.
In addition, the researchers found that the firmware signing key may be obtainable by attackers, which could give them the ability to create malicious firmware images. Silex is in the process of remediating this issue.
Mitigation
“As these devices are increasingly deployed to connect legacy serial equipment to IP networks, vendors and end-users should treat their security implications as a core operational requirement,” the Forescout researchers said.
Both Lantronix and Silex already released firmware updates to address the reported flaws: SD-330AC Firmware version 1.50, EDS5000 series version 2.2.0.0R1, and EDS3000 series version 3.2.0.0R2.
In addition to patching, Forescout recommends:
- Replacing default credentials and prohibiting weak passwords to reduce the risk of exploiting authenticated vulnerabilities
- Segmenting networks to prevent threat actors from reaching vulnerable serial-to-IP converters or using those devices to compromise other critical assets
- Ensuring they are not exposed to the internet
- Implementing strict access controls for management interfaces (such as the Web UI) so only preapproved management workstations can access them
- Using dedicated subnetworks or VLANs where they are only allowed to communicate with the serial devices they manage and the IP-side devices that should have access to that serial data
- Monitoring for exploitation attempts on serial-to-IP converters and for unusual communication patterns that suggest an attacker is targeting data read from, or sent to, the serial link