Moxa MiiNePort Vulnerabilities

Wednesday, May 25, 2016 @ 09:05 AM gHale


Moxa will release a beta patch firmware in late May to mitigate weak credential management, sensitive information not protected, and cross-site request forgery vulnerabilities in its MiiNePort serial device server module series, according to a report on ICS-CERT.

These vulnerabilities, discovered by Independent researcher Karn Ganeshen, are remotely exploitable.

RELATED STORIES
Siemens Fixes Information Disclosure Holes
Controller Vulnerabilities Mitigated
IRZ RUH2 Firmware Overwrite Vulnerability
Moxa Clears Router Vulnerabilities

The following MiiNePort versions suffer from the issues:
• MiiNePort_E1_7080 Firmware Version 1.1.10 Build 09120714,
• MiiNePort_E1_4641 Firmware Version 1.1.10 Build 09120714,
• MiiNePort_E2_1242 Firmware Version 1.1 Build 10080614,
• MiiNePort_E2_4561 Firmware Version 1.1 Build 10080614, and
• MiiNePort E3 Firmware Version 1.0 Build 11071409.

Successful exploitation of these vulnerabilities allow silent execution of unauthorized actions on the device such as password change, configuration parameter changes, saving modified configuration, and device reboot.

Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the U.S., the UK, India, Germany, France, China, Russia, and Brazil.

The affected product, MiiNePort, is a serial device server module. According to Moxa, MiiNePort sees action across several sectors including commercial facilities, critical manufacturing, energy, and transportation systems. Moxa said this product sees use primarily in the United States and Europe with a small percentage in Asia.

Information strings are shown in clear text when viewing device config file.

CVE-2016-2295 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, the web application does not sufficiently verify whether a well-formed, consistent request ended up intentionally provided by the user who submitted the request.

CVE-2016-2285 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

Also, by default, no password is set on the device.

CVE-2016-2286 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Moxa recommends disabling Ports TCP/80 (HTTP) and TCP/23 (TELNET). Moxa indicates that users should ensure that Ports UDP/161 (SNMP), UDP/4800 (utility), and TCP/4900 (utility) are only accessible by trusted systems and that restricting access to Ports UDP/4800 and TCP/4900 will impact remote systems administration.

Ensure the passwords have been enabled.