Chemical Safety Incidents
Moxa Hole on Discontinued Line
Friday, July 8, 2016 @ 08:07 AM gHale
There is an authorization bypass vulnerability in Moxa’s Device Server Web Console, but the company said the NPort 5232-N discontinued in 2012 and has produced recommendations to mitigate this vulnerability, according to a report on ICS-CERT.
Device Server Web Console 5232-N, all versions are vulnerable to the remotely exploitable issue, discovered by independent researcher Maxim Rupp.
An attacker could exploit this vulnerability to gain access to change settings and data on the target device.
Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the US, UK, India, Germany, France, China, Russia, and Brazil.
The affected product, Device Server Web Console 5232-N, is a serial to Ethernet device. Device Server Web Console devices see action across several sectors, including commercial facilities and energy. Moxa said this product sees use primarily in the United States, Europe, and Asia.
An attacker could identify an authenticated UserId from a parameter passed in a cookie and gain access.
CVE-2016-4503 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
Moxa recommends disabling Ports 80/TCP (HTTP) and 23/TCP (TELNET). Moxa indicates users should ensure Ports 161/UDP (SNMP), 4800/UDP (utility), and 4900/TCP (utility) are only accessible by trusted systems and restricting access to Ports 4800/UDP and 4900/TCP will impact remote systems administration.