Update A number of publicly disclosed vulnerabilities in Moxa networking gear won’t be patched until August, if at all, according to an alert published on Friday by the Industrial Control System Cyber Emergency Response Team (ICS-CERT).
Researcher Joakim Kennedy of Rapid7 disclosed in March some details affecting critical flaws in Moxa NPort 6110 Modbus/TCP to serial communication gateways, and 5100 and 6000 series serial-to-Ethernet converters.
The set of vulnerabilities ICS-CERT issued its advisory about was found and disclosed by researchers at Digital Bond following an internal assessment of a several 5000 and 6000 series devices.
“Labs contacted Moxa in July 2015, and informed the company of these security vulnerabilities. Labs has made repeated contact with Moxa over a period of over six months, sharing additional details as Moxa has requested them,” Digital Bond wrote in its advisory. “Moxa has not yet responded to the security issues in a promising way. In particular, Moxa has not devised a plan for mitigating the issues.”
Moxa said the NPort 6110 device has been discontinued and it will not provide patches. The 5100 and 6000 series will be patched new firmware expected to be made available in August, ICS-CERT said.
Digital Bond added that four of the vulnerabilities it discovered were given the highest CVSS score of 10.0. Two of the flaws give attackers the ability to either overwrite existing firmware on a device without authentication, or upload unsigned firmware, which could allow an attacker to brick a device.
The devices are also vulnerable to attacks that allow attackers to retrieve admin passwords without authentication, as well as buffer overflow, cross-site scripting and cross-site request forgery vulnerabilities.
Digital Bond said the Moxa NPort 5110, firmware release 2.5 (latest available, as of 04 April 2016), Moxa NPort 5130/5150, firmware release 3.5 (latest available, as of 04 April 2016), Moxa NPort 6150/6250/6450/6610/6650, firmware release 1.13 (latest available, as of 04 April 2016, and Moxa NPort 6110, firmware release 1.13 (latest available, as of 04 April 2016) are affected.
Rapid7 said in its disclosure of March that the devices it examined are not password-protected and many are reachable online. For example, users are not required to set passwords for the NPort 5100 series, and many do not and are reachable via telnet or a web interface. A Shodan search conducted by Rapid7 found 5,000 Moxa devices online, 46 percent of which are not password-protected.
ICS-CERT said Moxa has validated three of five vulnerabilities that have been disclosed: one flaw enables an attacker to retrieve account information; another allows an attacker to make remote firmware updates without the need for authentication; and the third is a cross-site request forgery bug. Noxa has not been able to verify a buffer overflow bug leading to remote code execution, nor a cross-site scripting flaw. All of the flaws are remotely exploitable and allow for the execution or malicious script or malware, and privilege escalation.
Rapid7 Digital Bond also identified ports UDP/4800, TCP/4900, TCP/80, TCP/443, TCP/23, TCP/22, and UDP/161 as possible attack vectors. ICS-CERT says it’s not aware of public attacks.
In the meantime, the devices, which are used to connect remote administration tools to things such as medical devices, industrial applications, point-of-sale systems and more, will remain exposed for at least another four months.
ICS-CERT’s alert did recommend some temporary mitigations, such as password protecting NPort 5100 and 6000 series configuration files to prevent attackers from being able to upload binaries to devices. Vulnerable systems can also be removed from the Internet, while control system networks can be put behind a firewall or isolated from the business network, the alert said. Remote administration should also be conducted over a VPN.
“Securing legacy hardware is still very difficult, and this how not to do it,” Kennedy wrote in his disclosure. “Security is being compromised for convenience, and consumers are, in many cases, just using the default settings. The easier you make it for yourself to connect, the easier you make it for the attacker.”
This article was updated April 14 to include information from Digital Bond throughout.
