A vulnerability that exists in embedded computers manufactured by Moxa could allow remote authenticated users to overwrite firmware, in turn rendering the devices unusable.
Moxa, a Taiwan-based networking company, announced recently that instead of patching the line of products affected by the vulnerability, UC 7408-LX-Plus, it would discontinue the devices.
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned on Tuesday about the overwrite vulnerability, and admitted that while it’d be difficult to create a working exploit–the attacker would have to have root level access in the first place–anyone using the devices should replace them.
ICS-CERT issued advisory ICSA-16-152-01 Moxa UC 7408-LX-Plus Firmware Overwrite Vulnerability to ICS CERT web site https://t.co/m9GAUoewmW
— ICS-CERT (@ICSCERT) June 1, 2016
According to ICS-CERT’s advisory, an unnamed third party tipped the team off to the vulnerability.
Overwrite vulnerabilities typically let attackers overwrite arbitrary system files, and in some instances can lead to system instability or denial of service conditions.
The devices are technically data acquisition embedded computers (.PDF) that feature ports, inputs, outputs, and an interface for wireless communication. The devices usually figure into in chemical, water and wastewater systems, food, agriculture and critical infrastructure distributions.
For those who can’t replace the devices, Moxa encourages users to periodically change their administrative passwords, delete old, unused profiles from the system, and enable system logging, among other recommendations.
The company has had a somewhat checkered history of responding to security issues.
A handful of vulnerabilities recently highlighted in networking gear made by the company won’t be patched until August, if at all, according to an alert from ICS-CERT last month. Similar to the UC 7408-LX-Plus line of devices, Moxa announced that it won’t patch, but simply discontinue a vulnerable line of devices, the NPort 6110, and push firmware updates for two other product lines, 5100 and 6000, in August
Last week security researcher Karn Ganeshen warned of three vulnerabilities in Moxa’s MiiNePort server module devices. Ganeshen told Threatpost over the weekend that the issues affecting the serial devices servers aren’t complex issues and stressed that they can be exploited easily. While all of the issues are concerning, especially troubling is a vulnerability that stems from weak credential management.
Despite the urgency of the issues, communication with Moxa has been less than efficient, according to the researcher.
“Even though the issues were reported to Moxa in December 2015, their response was not timely,” Ganeshen said.
Moxa told ICS-CERT it planned on producing beta patch firmware for the MiiNePort vulnerabilities before the end of the month. It’s unclear if that beta was ever pushed to users. According to Moxa’s Support page the last time the drivers and firmware for MiiNePort E1 or MiiNePort E2 were updated was in 2012.
