Moxa Fixes Additional ioLogik Device

Wednesday, February 1, 2017 @ 10:02 AM gHale


Another device series ended up with vulnerabilities so Moxa not only created a new firmware edition to mitigate vulnerabilities in its ioLogik E1200 series, but also its E2200 series devices, according to a report with ICS-CERT.

Alexandru Ariciu of Applied Risk, who discovered the issues in Moxa’s ioLogik E1200 series and ioLogik E2200 series devices. Moxa created new editions of the firmware to mitigate vulnerabilities on both series. Ariciu tested the firmware to validate it resolves the vulnerabilities. Moxa previously cleared issues in the E1200 series in October, however, Ariciu also found the same vulnerabilities in the E2200 series, which Moxa just mitigated.

RELATED STORIES
Belden Fixes GECKO Vulnerability
Eaton Tends to Path Traversal Issue
Mitigation Plan for Wonderware Historian
Schneider Fixes XSS Vulnerability

Exploits that target these vulnerabilities are publicly available.

Moxa reports the vulnerabilities affect the following products:
• ioLogik E1210, firmware Version V2.4 and prior
• ioLogik E1211, firmware Version V2.3 and prior
• ioLogik E1212, firmware Version V2.4 and prior
• ioLogik E1213, firmware Version V2.5 and prior
• ioLogik E1214, firmware Version V2.4 and prior
• ioLogik E1240, firmware Version V2.3 and prior
• ioLogik E1241, firmware Version V2.4 and prior
• ioLogik E1242, firmware Version V2.4 and prior
• ioLogik E1260, firmware Version V2.4 and prior
• ioLogik E1262, firmware Version V2.4 and prior
• ioLogik E2210, firmware versions prior to V3.13
• ioLogik E2212, firmware versions prior to V3.1
• ioLogik E2214, firmware versions prior to V3.12
• ioLogik E2240, firmware versions prior to V3.12
• ioLogik E2242, firmware versions prior to V3.12
• ioLogik E2260, firmware versions prior to V3.13
• ioLogik E2262, firmware versions prior to V3.12

An attacker who exploits these vulnerabilities may be able to remotely execute arbitrary code, modify parameters and settings, or reset the device.

Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the U.S., UK, India, Germany, France, China, Russia, and Brazil.

The affected products, ioLogik E1200 series and E2200 series, are remote I/O for use in monitoring. Moxa said ioLogik sees action across several sectors, including commercial facilities and energy. Moxa estimates that these products see use primarily in the United States, Europe, and Asia.

In one vulnerability, the web application fails to sanitize user input, which may allow an attacker to inject script or execute arbitrary code.

CVE-2016-8359 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

In addition, a password can end up transmitted in a format that is not sufficiently secure.

CVE-2016-8372 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.

Also, users are restricted to using short passwords.

CVE-2016-8379 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.

In addition, the web application may not sufficiently verify whether a request was provided by a valid user.

CVE-2016-8350 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

Detailed vulnerability information is publicly available that could end up used to develop an exploit that targets these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.

Moxa created new firmware to mitigate these vulnerabilities. It recommends all users upgrade to the latest version. Moxa recommends installing the latest edition of the firmware, which can be downloaded at the following location:
ioLogik E1210 V2.5

ioLogik E1211 V2.4

ioLogik E1212 V2.5

ioLogik E1213 V2.6

ioLogik E1214 V2.5

ioLogik E1240 V2.4

ioLogik E1241 V2.5

ioLogik E1242 V2.5

ioLogik E1260 V2.5

ioLogik E1262 V2.5

ioLogik E2210 V3.13

ioLogik E2212 V3.14

ioLogik E2214 V3.12

ioLogik E2240 V3.12

ioLogik E2242 V3.12

ioLogik E2260 V3.13

ioLogik E2262 V3.12



Leave a Reply

You must be logged in to post a comment.