CVE-2022-47558
📋 TL;DR
Devices ekorCCP and ekorRCI from Ormazabal are vulnerable due to FTP services using default credentials. This allows attackers to modify critical files, potentially creating new users, deleting existing users, altering configurations, or installing backdoors. Organizations using these devices in default configurations are affected.
💻 Affected Systems
- ekorCCP
- ekorRCI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to install rootkits/backdoors, create administrative users, modify all configurations, and potentially disrupt critical infrastructure operations.
Likely Case
Unauthorized access leading to configuration changes, user account manipulation, and potential installation of malicious software on affected devices.
If Mitigated
Limited impact if proper network segmentation, credential management, and monitoring are implemented to detect and block unauthorized FTP access attempts.
🎯 Exploit Status
Exploitation requires only knowledge of default credentials and network access to FTP service. No specialized tools or skills needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-ormazabal-products
Restart Required: No
Instructions:
1. Consult Ormazabal vendor documentation for security updates. 2. Change default FTP credentials immediately. 3. Disable FTP service if not required. 4. Implement network access controls.
🔧 Temporary Workarounds
Change Default FTP Credentials
allImmediately change default FTP username and password to strong, unique credentials
Use device administration interface to modify FTP service credentials
Disable FTP Service
allDisable FTP service if not required for operations
Use device administration interface to disable FTP service
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected devices from untrusted networks
- Deploy network monitoring and intrusion detection to alert on FTP access attempts
🔍 How to Verify
Check if Vulnerable:
Attempt FTP connection to device using default credentials. Check device configuration for unchanged default FTP settings.Check Version:
Consult device administration interface or vendor documentation for firmware version informationVerify Fix Applied:
Verify FTP service uses non-default credentials by attempting connection with old defaults (should fail) and new credentials (should succeed if service enabled).📡 Detection & Monitoring
Log Indicators:
- Failed/successful FTP authentication attempts
- FTP configuration changes
- Unusual file modifications via FTP
Network Indicators:
- FTP traffic to affected devices
- Port 21 connections from unauthorized sources
SIEM Query:
source_port=21 OR destination_port=21 AND (device_type="ekorCCP" OR device_type="ekorRCI")