Blog

Moxa Won’t Patch Publicly Disclosed Flaws Until August | Threatpost

A number of publicly disclosed vulnerabilities in Moxa networking gear won’t be patched until August, if at all, according to ICS-CERT.

Update A number of publicly disclosed vulnerabilities in Moxa networking gear won’t be patched until August, if at all, according to an alert published on Friday by the Industrial Control System Cyber Emergency Response Team (ICS-CERT). Mgate

Moxa Won’t Patch Publicly Disclosed Flaws Until August | Threatpost

Researcher Joakim Kennedy of Rapid7 disclosed in March some details affecting critical flaws in Moxa NPort 6110 Modbus/TCP to serial communication gateways, and 5100 and 6000 series serial-to-Ethernet converters.

The set of vulnerabilities ICS-CERT issued its advisory about was found and disclosed by researchers at Digital Bond following an internal assessment of a several 5000 and 6000 series devices.

“Labs contacted Moxa in July 2015, and informed the company of these security vulnerabilities. Labs has made repeated contact with Moxa over a period of over six months, sharing additional details as Moxa has requested them,” Digital Bond wrote in its advisory. “Moxa has not yet responded to the security issues in a promising way. In particular, Moxa has not devised a plan for mitigating the issues.”

Moxa said the NPort 6110 device has been discontinued and it will not provide patches. The 5100 and 6000 series will be patched new firmware expected to be made available in August, ICS-CERT said.

Digital Bond added that four of the vulnerabilities it discovered were given the highest CVSS score of 10.0. Two of the flaws give attackers the ability to either overwrite existing firmware on a device without authentication, or upload unsigned firmware, which could allow an attacker to brick a device.

The devices are also vulnerable to attacks that allow attackers to retrieve admin passwords without authentication, as well as buffer overflow, cross-site scripting and cross-site request forgery vulnerabilities.

Digital Bond said the Moxa NPort 5110, firmware release 2.5 (latest available, as of 04 April 2016), Moxa NPort 5130/5150, firmware release 3.5 (latest available, as of 04 April 2016), Moxa NPort 6150/6250/6450/6610/6650, firmware release 1.13 (latest available, as of 04 April 2016, and Moxa NPort 6110, firmware release 1.13 (latest available, as of 04 April 2016) are affected.

Rapid7 said in its disclosure of March that the devices it examined are not password-protected and many are reachable online. For example, users are not required to set passwords for the NPort 5100 series, and many do not and are reachable via telnet or a web interface. A Shodan search conducted by Rapid7 found 5,000 Moxa devices online, 46 percent of which are not password-protected.

ICS-CERT said Moxa has validated three of five vulnerabilities that have been disclosed: one flaw enables an attacker to retrieve account information; another allows an attacker to make remote firmware updates without the need for authentication; and the third is a cross-site request forgery bug. Noxa has not been able to verify a buffer overflow bug leading to remote code execution, nor a cross-site scripting flaw. All of the flaws are remotely exploitable and allow for the execution or malicious script or malware, and privilege escalation.

Rapid7 Digital Bond also identified ports UDP/4800, TCP/4900, TCP/80, TCP/443, TCP/23, TCP/22, and UDP/161 as possible attack vectors. ICS-CERT says it’s not aware of public attacks.

In the meantime, the devices, which are used to connect remote administration tools to things such as medical devices, industrial applications, point-of-sale systems and more, will remain exposed for at least another four months.

ICS-CERT’s alert did recommend some temporary mitigations, such as password protecting NPort 5100 and 6000 series configuration files to prevent attackers from being able to upload binaries to devices. Vulnerable systems can also be removed from the Internet, while control system networks can be put behind a firewall or isolated from the business network, the alert said. Remote administration should also be conducted over a VPN.

“Securing legacy hardware is still very difficult, and this how not to do it,” Kennedy wrote in his disclosure. “Security is being compromised for convenience, and consumers are, in many cases, just using the default settings. The easier you make it for yourself to connect, the easier you make it for the attacker.”

This article was updated April 14 to include information from Digital Bond throughout. 

Impacted are PHP-based websites running a vulnerable version of the web-app creation tool Zend Framework and some Laminas Project releases.

Google’s Android security update addressed 43 bugs overall affecting Android handsets, including Samsung phones.

David “moose” Wolpoff at Randori explains how hackers pick their targets, and how understanding “hacker logic” can help prioritize defenses.

The First Stop For Security News

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Moxa Won’t Patch Publicly Disclosed Flaws Until August | Threatpost

Hirschmann spider 5tx Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.