These vulnerabilities were discovered by Carlos Pacho of Cisco Talos
Today, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router.
Moxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation.
Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.
TALOS-2017-0472 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker may be able to inject OS commands into the ifs= parm in the "/goform/net_WebPingGetValue" uri to trigger this vulnerability and take control over the targeted device.
TALOS-2017-0473 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker can inject OS commands into the rsakey\_name= parm in the "/goform/WebRSAKEYGen" uri to trigger this vulnerability and take control over the targeted device.
TALOS-2017-0474 describes three separate exploitable denial of service vulnerabilities that exist in the web server functionality of Moxa EDR-810. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini" without a cookie header to trigger this vulnerability.
TALOS-2017-0475 is an exploitable clear text transmission of password vulnerability that exists in the web server and telnet functionality of Moxa EDR-810. An attacker may be able to inspect network traffic to retrieve the administrative password for the device. The attacker may then use the credentials to login into the device web management console as the device administrator.
TALOS-2017-0476 is an exploitable denial of service vulnerability that exists in the web server functionality of Moxa EDR-810. Access to a specially crafted HTTP URI can cause a null pointer dereference resulting in the web server crashing. An attacker can send a crafted URI to trigger this vulnerability.
TALOS-2017-0477 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST request can cause a privilege escalation resulting in access to root shell. An attacker may be able to inject OS commands into the CN= parm in the "/goform/net_WebCSRGen" uri to trigger this vulnerability.
TALOS-2017-0478 is an exploitable cross-site request forgery (CSRF) vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP request can trigger a CSFR vulnerability which may allow the attacker to change the device configuration. An attacker can create a malicious html code to trigger this vulnerability and entice the user to execute the malicious code.
TALOS-2017-0479 is a password storage vulnerability that exists in the operating system functionality of Moxa EDR-810. The device stores credentials in plaintext in /magicP/cfg4.0/cfg_file/USER_ACCOUNT.CFG. This file mirrors the contents of /etc/shadow, except that all the passwords are stored in plaintext.
TALOS-2017-0480 is an exploitable information disclosure vulnerability that exists in the Server Agent functionality of Moxa EDR-810. A specially crafted TCP packet can cause the device to leak data and result in an information disclosure. An attacker may be able to send a specially crafted TCP packet to trigger this vulnerability.
TALOS-2017-0481 is an exploitable Weak Cryptography for Passwords vulnerability that exists in the web server functionality of Moxa EDR-810. After the initial login, each authenticated request sends a HTTP packet with a MD5 hash of the password. This hash is not salted and can be cracked, revealing the device's password.
TALOS-2017-0482 describes multiple exploitable command injection vulnerabilities that exist in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST request may cause a privilege escalation resulting in an attacker having access to a root shell. An attacker may be able to inject OS commands into various parameters in the "/goform/net_Web_get_value" uri to trigger this vulnerability.
TALOS-2017-0487 describes two exploitable denial of service vulnerabilities that exist in the Service Agent functionality of Moxa EDR-810. A specially crafted packet can cause a denial of service. An attacker may be able to send a large packet to tcp ports 4000 or 4001 to trigger this vulnerability.
For the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website:
http://www.talosintelligence.com/vulnerability-reports/
The discovered vulnerabilities have been confirmed in Moxa EDR-810 V4.1 build 17030317 but they may also affect earlier versions of the product.
Industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, are used in industries such as energy providers, manufacturing and critical infrastructure providers in order to control and monitor various aspects of various industrial processes. ICS systems employ many mechanisms and protocols also used in traditional IT systems and networks.
Although some characteristics of traditional IT systems and ICS are similar, ICS also have characteristics that differ in their service level and performance requirements. Many of these differences come from the fact that ICS has a direct effect on the physical world which may also include a risk to the health and safety of the population and a potential to cause damage to the environment. For that reason ICS have unique reliability requirements and may use real-time operating systems and applications that would not be used in everyday IT environments.
One of the pillars of ICS security, as well as the security of traditional IT networks, is restricting access to network activity. This may include unidirectional gateways, a demilitarized zone (DMZ) network architecture with firewalls and separate authentication mechanisms and credentials for users of corporate and ICS networks.
ICS devices, including firewalls that secure networks, run software which can contain vulnerabilities and serve as a pathway that may allow attackers to take advantage and intrude into an ICS network environment.
Cisco Talos vulnerability research team also focuses on non traditional computing environments, including ICS, to find previously unknown vulnerabilities and work with vendors to responsibly disclose them while allowing the vendor enough time to improve security of the products by fixing the discovered vulnerabilities.
Moxa EDR-810 is one of the devices specialized in providing firewalls specifically designed to function within ICS infrastructure and provide network security to ICS processes. Cisco Talos researchers have discovered several vulnerabilities affecting the security of the product. Moxa EDR-810 users are recommended to update the software as soon as possible to avoid their ICS environment potentially being exploited by attackers.
The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules:
Today, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router.
Moxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation.
Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.
Vulnerability Details
TALOS-2017-0472 (CVE-2017-12120) Moxa EDR-810 Web Server ping Command Injection Vulnerability
TALOS-2017-0472 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker may be able to inject OS commands into the ifs= parm in the "/goform/net_WebPingGetValue" uri to trigger this vulnerability and take control over the targeted device.
TALOS-2017-0473 (CVE-2017-12121) Moxa EDR-810 Web RSA Key Generation Command Injection Vulnerability
TALOS-2017-0473 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker can inject OS commands into the rsakey\_name= parm in the "/goform/WebRSAKEYGen" uri to trigger this vulnerability and take control over the targeted device.
TALOS-2017-0474 (CVE-2017-14435 to 14437) Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities
TALOS-2017-0474 describes three separate exploitable denial of service vulnerabilities that exist in the web server functionality of Moxa EDR-810. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini" without a cookie header to trigger this vulnerability.
TALOS-2017-0475 (CVE-2017-12123) Moxa EDR-810 Cleartext Transmission of Password Vulnerability
TALOS-2017-0475 is an exploitable clear text transmission of password vulnerability that exists in the web server and telnet functionality of Moxa EDR-810. An attacker may be able to inspect network traffic to retrieve the administrative password for the device. The attacker may then use the credentials to login into the device web management console as the device administrator.
TALOS-2017-0476 (CVE-2017-12124) Moxa EDR-810 Web Server URI Denial of Service Vulnerability
TALOS-2017-0476 is an exploitable denial of service vulnerability that exists in the web server functionality of Moxa EDR-810. Access to a specially crafted HTTP URI can cause a null pointer dereference resulting in the web server crashing. An attacker can send a crafted URI to trigger this vulnerability.
TALOS-2017-0477 (CVE-2017-12125) Moxa EDR-810 Web Server Certificate Signing Request Command Injection Vulnerability
TALOS-2017-0477 is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST request can cause a privilege escalation resulting in access to root shell. An attacker may be able to inject OS commands into the CN= parm in the "/goform/net_WebCSRGen" uri to trigger this vulnerability.
TALOS-2017-0478 (CVE-2017-12126) Moxa EDR-810 Web Server Cross-Site Request Forgery Vulnerability
TALOS-2017-0478 is an exploitable cross-site request forgery (CSRF) vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP request can trigger a CSFR vulnerability which may allow the attacker to change the device configuration. An attacker can create a malicious html code to trigger this vulnerability and entice the user to execute the malicious code.
TALOS-2017-0479 (CVE-2017-12127) Moxa EDR-810 Plaintext Password Storage Vulnerability
TALOS-2017-0479 is a password storage vulnerability that exists in the operating system functionality of Moxa EDR-810. The device stores credentials in plaintext in /magicP/cfg4.0/cfg_file/USER_ACCOUNT.CFG. This file mirrors the contents of /etc/shadow, except that all the passwords are stored in plaintext.
TALOS-2017-0480 (CVE-2017-12128) Moxa EDR-810 Server Agent Information Disclosure Vulnerability
TALOS-2017-0480 is an exploitable information disclosure vulnerability that exists in the Server Agent functionality of Moxa EDR-810. A specially crafted TCP packet can cause the device to leak data and result in an information disclosure. An attacker may be able to send a specially crafted TCP packet to trigger this vulnerability.
TALOS-2017-0481 (CVE-2017-12129) Moxa EDR-810 Web Server Weak Cryptography for Passwords Vulnerability
TALOS-2017-0481 is an exploitable Weak Cryptography for Passwords vulnerability that exists in the web server functionality of Moxa EDR-810. After the initial login, each authenticated request sends a HTTP packet with a MD5 hash of the password. This hash is not salted and can be cracked, revealing the device's password.
TALOS-2017-0482 (CVE-2017-14432 to 14434) Moxa EDR-810 Web Server OpenVPN Config Multiple Command Injection Vulnerabilities
TALOS-2017-0482 describes multiple exploitable command injection vulnerabilities that exist in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST request may cause a privilege escalation resulting in an attacker having access to a root shell. An attacker may be able to inject OS commands into various parameters in the "/goform/net_Web_get_value" uri to trigger this vulnerability.
TALOS-2017-0487 (CVE-2017-14438 and 14439) Moxa EDR-810 Service Agent Multiple Denial of Service
TALOS-2017-0487 describes two exploitable denial of service vulnerabilities that exist in the Service Agent functionality of Moxa EDR-810. A specially crafted packet can cause a denial of service. An attacker may be able to send a large packet to tcp ports 4000 or 4001 to trigger this vulnerability.
For the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website:
http://www.talosintelligence.com/vulnerability-reports/
Affected versions
The discovered vulnerabilities have been confirmed in Moxa EDR-810 V4.1 build 17030317 but they may also affect earlier versions of the product.
Discussion
Industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, are used in industries such as energy providers, manufacturing and critical infrastructure providers in order to control and monitor various aspects of various industrial processes. ICS systems employ many mechanisms and protocols also used in traditional IT systems and networks.
Although some characteristics of traditional IT systems and ICS are similar, ICS also have characteristics that differ in their service level and performance requirements. Many of these differences come from the fact that ICS has a direct effect on the physical world which may also include a risk to the health and safety of the population and a potential to cause damage to the environment. For that reason ICS have unique reliability requirements and may use real-time operating systems and applications that would not be used in everyday IT environments.
One of the pillars of ICS security, as well as the security of traditional IT networks, is restricting access to network activity. This may include unidirectional gateways, a demilitarized zone (DMZ) network architecture with firewalls and separate authentication mechanisms and credentials for users of corporate and ICS networks.
ICS devices, including firewalls that secure networks, run software which can contain vulnerabilities and serve as a pathway that may allow attackers to take advantage and intrude into an ICS network environment.
Cisco Talos vulnerability research team also focuses on non traditional computing environments, including ICS, to find previously unknown vulnerabilities and work with vendors to responsibly disclose them while allowing the vendor enough time to improve security of the products by fixing the discovered vulnerabilities.
Moxa EDR-810 is one of the devices specialized in providing firewalls specifically designed to function within ICS infrastructure and provide network security to ICS processes. Cisco Talos researchers have discovered several vulnerabilities affecting the security of the product. Moxa EDR-810 users are recommended to update the software as soon as possible to avoid their ICS environment potentially being exploited by attackers.
Coverage
The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.
Snort Rules:
- 31939, 40880, 44835-44837, 44840-44842, 44847-44852, 44855, 44858
