Moxa MiiNePort Devices Leak Data, Open to Unauthorized Access

Embedded serial device servers built by Moxa and used in a number of critical industries remain vulnerable to three serious security issues that have not been patched by the vendor.

Embedded device servers made by Moxa remain vulnerable to a trio of vulnerabilities disclosed today in an advisory published by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and a blog post by researcher Karn Ganeshen.

Moxa, which is based in Taiwan, will publish a beta patch firmware before the end of the month, ICS-CERT said.

Ganeshen is a prolific industrial control systems bug hunter and in the Moxa devices he found security flaws that could expose these devices used in numerous industries to unauthorized administrative access and critical information stored in plaintext. Ganeshen reported the flaws in MiinePort E1, E2 and E3 versions, specifically MiiNePort_E1_7080 Firmware Version 1.1.10 Build 09120714, MiiNePort_E1_4641 Firmware Version 1.1.10 Build 09120714, MiiNePort_E2_1242 Firmware Version 1.1 Build 10080614, MiiNePort_E2_4561 Firmware Version 1.1 Build 10080614, and MiiNePort E3 Firmware Version 1.0 Build 11071409, but cautions that other versions are likely affected as well.

“Successful exploitation of these vulnerabilities allow silent execution of unauthorized actions on the device such as password change, configuration parameter changes, saving modified configuration and device reboot,” ICS-CERT said in its advisory.

The litany of vulnerabilities on these devices is characteristic of the lax security on ICS and SCADA devices in general. For example, Miineport devices are not, by default, password-protected.

“This allows anyone to access the device over HTTP and Telnet,” Ganeshen wrote. “Access to the device provides full administrative functionality.”

Ganeshen recommends in his report that a mandatory password-change mechanism should be in place that forces a password set on the first login, that enforces password complexity requirements and mandates periodic changes to the password.

Ganeshen also disclosed that Connect passwords and SNMP community strings are not protected and are accessible in plaintext over HTTP or Telnet, and that TLS is not implemented securing this information in transport. He recommends encryption or masking of sensitive information such as passwords or keys in device configuration files and the management portal.

Ganeshen also reported a cross-site request forgery vulnerability in the respective devices.

“There is no CSRF Token generated per page and / or per (sensitive) function,” he said. Echoing ICS-CERT’s warning Ganeshen said, “successful exploitation of this vulnerability allows silent execution of unauthorized actions on the device such as password change, configuration parameter changes, saving modified configuration, & device reboot.”

ICS-CERT said that it is not aware of public exploits targeting these flaws, and that an relatively low-skilled hacker could take advantage of these issues.

“Moxa recommends disabling Ports TCP/80 (HTTP) and TCP/23 (TELNET). Moxa indicates that users should ensure that Ports UDP/161 (SNMP), UDP/4800 (utility), and TCP/4900 (utility) are only accessible by trusted systems and that restricting access to Ports UDP/4800 and TCP/4900 will impact remote systems administration,” ICS-CERT said in recommending temporary mitigations, adding that passwords should be enabled.

Suggested articles