Moxa Fixes Buffer Overflows

Friday, August 28, 2015 @ 01:08 PM gHale


Moxa released a new version to mitigate buffer overflow vulnerabilities in its SoftCMS software package, according to a report on ICS-CERT.

HP’s Zero Day Initiative (ZDI) sent the issue over after getting the vulnerabilities from security researcher Carsten Eiram of Risk Based Security, who identified seven vulnerabilities, and Fritz Sands, who discovered two vulnerabilities.

RELATED STORIES
E+H HART Device DTM Hole Fixed
OSIsoft Fixes PI Data Archive Holes
Rockwell Working on Vulnerability Fixes
Moxa RTU Controller Vulnerabilities

SoftCMS, Version 1.3 and prior versions suffer from the remotely exploitable vulnerabilities.

Successful exploitation of these vulnerabilities could cause a buffer overflow condition that may allow remote code execution.

Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the U.S., UK, India, Germany, France, China, Russia, and Brazil.

The affected product, SoftCMS, is a central management software that manages large scale surveillance systems. SoftCMS sees action across several sectors including commercial facilities, critical manufacturing, energy, and transportation systems. Moxa said these products see use primarily in the United States and Europe with a small percentage in Asia.

For a heap-based buffer overflow, the application is susceptible to multiple buffer overflow conditions that may crash or allow remote code execution.

CVE-2015-6457 is the case number assigned to this vulnerability, which ZDI assigned a CVSS v2 base score of 6.8.

For the classic buffer overflow, the application is susceptible to multiple buffer overflow conditions that may crash or allow remote code execution.

CVE-2015-6458 is the case number assigned to this vulnerability, which ZDI assigned a CVSS v2 base score of 6.8.

No known public exploits specifically target these vulnerabilities. An attacker with medium skill would be able to exploit these vulnerabilities.

Moxa released SoftCMS, Version 1.4 June 1, which addresses the vulnerabilities by removing SStreamVideo ActiveX Control. Click here to download SoftCMS, Version 1.4.