CVE-2015-6476

Vulnerability

Advantech EKI-122x-BE devices with firmware before version 1.65, EKI-132x devices with firmware before version 1.98, and EKI-136x devices with firmware before version 1.27 contain hardcoded SSH keys that cannot be changed by the user [1]. This vulnerability is classified as CWE-798: Use of Hard-coded Credentials [1]. The SSH keys are embedded in the firmware, making the SSH service inherently trustable without user-configurable credentials.

Exploitation

An attacker can exploit this vulnerability remotely over the network without any prior authentication [1]. The attacker simply needs to obtain the hardcoded SSH keys (which are embedded in the firmware and can be extracted or deduced from public sources) and then use them to initiate an SSH session to an affected device. No user interaction or privileged access is required. The exploitation complexity is low, as the keys are static and shared across devices [1].

Impact

Successful exploitation allows the attacker to gain unauthorized access to the device via an SSH session [1]. The attacker can read, modify, or intercept communications to and from the device [1]. The CVSS v3 base score is 6.5 with a vector string of (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), indicating a moderate impact on confidentiality and integrity, but no direct impact on availability [1]. The attacker gains full access to the device's SSH shell with the privileges associated with the hardcoded SSH key (typically administrative-level access).

Mitigation

Advantech has released new firmware to address this vulnerability: firmware version 1.65 for EKI-122x-BE devices, version 1.98 for EKI-132x devices, and version 1.27 for EKI-136x devices [1]. Users should update to these fixed versions immediately. No workaround is provided as the hardcoded keys cannot be changed by the user [1]. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.