Vulnerabilities in Industrial Serial-to-Ethernet Converters Enable Remote Control of Critical Infrastructure

Two critical vulnerabilities have recently been found in industrial device servers produced by Lantech, enabling attackers to remotely dial into infrastructures and control affected devices.

Lantech’s IDS-2102 industrial device server is meant to convert serial ports into Ethernet connections, enabling remote over-the-internet access to the device and, consequently, to the critical infrastructure’s network. Both vulnerabilities, CVE-2018-8869 and CVE-2018-8865, have been ranked critical.

The first vulnerability involves improper input validation in the device’s web interface, allowing for cross-site-scripting (XSS) and SQL injection attacks. Coupled with a buffer overflow vulnerability, attackers could plant and execute malicious code on the affected device.

“The program ser2net reads the configuration file and interprets it. One function called del_ip_proceeded_0 tries to ensure that the input is a valid IP address. However, they use strcpy to copy the string and here you have a classical stack-based buffer overflow,” said researcher Florian Adamsky of Luxembourg’s SECAN-Lab, who discovered the bug. “So far, we have investigated three common serial-to-ethernet converters and found serious security vulnerabilities in each of them. These devices are normally not cheap (nearly all of them cost > $100) but there is nearly no software quality.”

Although the ICS-CERT has published an advisory warning of the severity of the two vulnerabilities and their risk of abuse by threat actors, Lantech has yet to release an official patch despite being contacted by both the National Cybersecurity and Communications Integration Center (NCCIC) and the security researchers (Florian Adamsky and Thomas Engel) that reported the vulnerabilities.

While Lantech has argued that the company stopped supporting IDS-2102 in January 2018, critical infrastructures that still use the device are strongly encouraged to follow NCCIC’s proposed mitigations for avoiding breaches. From minimizing network exposure of industrial control systems, to hiding them behind firewalls, and using VPNs to remotely dial into critical infrastructure networks.