Severe Flaws Expose Moxa Industrial Routers to Attacks
16.4.2018 securityweek ICS
Cisco’s Talos intelligence and research group has reported identifying a total of 17 vulnerabilities in an industrial router from Moxa, including many high severity command injection and denial-of-service (DoS) flaws.
The security holes have been identified in Moxa EDR-810, an integrated industrial multiport secure router that provides firewall, NAT, VPN and managed Layer 2 switch capabilities. According to the vendor, the device is designed for controlling, monitoring and protecting critical assets, such as pumping and treatment systems in water stations, PLC and SCADA systems in factory automation applications, and DCS in oil and gas organizations.Moxa industrial router vulnerabilities
Several of the problems found by Cisco have been described as high severity command injection vulnerabilities affecting the web server functionality of this Moxa router. The flaws allow an attacker to escalate privileges and obtain a root shell on the system by sending specially crafted HTTP POST requests to the targeted device.
The industrial router is also impacted by several high severity DoS flaws that can be exploited by sending specially crafted requests to the device.
There are also four medium severity issues related to the transmission of passwords in clear text, information disclosure involving the Server Agent functionality, and the use of weakly encrypted or clear text passwords. Cisco has made available technical details and proof-of-concept (PoC) code for each of the vulnerabilities.
The vulnerabilities have been reproduced on Moxa EDR-810 v4.1 devices, and they have been patched by the vendor with the release of version 4.2 on April 12. The issues were reported to Moxa in mid and late November 2017, which means it took the company roughly 150 days to release a fix – this is the average patching time for SCADA systems, according to a report published last year by ZDI.
This was not the first time Talos researchers found vulnerabilities in Moxa products. Last year, Talos published advisories describing more than a dozen security holes uncovered in Moxa access points.
This is also not the first time security experts find weaknesses in Moxa’s EDR routers. Back in 2016, researcher Maxim Rupp identified multiple high severity vulnerabilities that could have been exploited for DoS attacks, privilege escalation, and arbitrary code execution.