Moxa NPort Device Vulnerabilities
Monday, April 11, 2016 @ 08:04 AM gHale
There is a public report of remotely exploitable vulnerabilities affecting Moxa NPort 6110, 5100 series, and 6000 series devices, according to a report on ICS-CERT.
The Moxa NPort 6110 device is a Modbus/TCP to serial communication gateway. Moxa NPort 5100 series and 6000 series devices are serial-to-Ethernet converters.
The vulnerabilities include unauthenticated retrievable sensitive account information, unauthenticated remote firmware updates, buffer overflow allowing arbitrary remote code execution, cross-site scripting and cross-site request forgery, according to this report.
The researcher released the report after initially coordinating with the vendor. ICS-CERT notified Moxa of the report and Moxa has validated three of the five reported vulnerabilities. Moxa has not yet been able to validate the buffer overflow or cross-site scripting vulnerabilities.
ICS-CERT issued an alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
ICS-CERT is aware of public reporting of vulnerabilities in the following Moxa NPort devices:
• Moxa NPort model 6110, firmware Version 1.13
• Moxa NPort model 5110, firmware Version 2.5
• Moxa NPort models 5130 and 5150, firmware Version 3.5
• Moxa NPort models 6150, 6250, 6450, 6610, and 6650, with firmware Version 1.13
The publicly disclosed vulnerabilities in the Moxa NPort devices include unauthenticated retrievable sensitive account information, which may allow a remote attacker to gain administrator privileges on the affected systems. The firmware of the affected devices can end up updated over the network without authenticating, which may allow a remote attacker to completely compromise the system. Exploitation of the buffer overflow vulnerability may allow an unauthenticated attacker to execute arbitrary code remotely.
The cross-site scripting vulnerability may allow an authenticated party to insert malicious code into webpages allowing malicious code to be executed by a web browser.
The cross-site request forgery vulnerability may allow an attacker to trick a user into executing unwanted actions on a web application to which the user has authenticated.
In the public disclosure, port numbers ended up identified as potential access vectors, which are as follows: UDP/4800, TCP/4900, TCP/80, TCP/443, TCP/23, TCP/22, and UDP/161. At this time, ICS-CERT is not aware of publicly available exploit code that exploits the identified vulnerabilities.
Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the U.S., UK, India, Germany, France, China, Russia, and Brazil. The Moxa NPort 6110 device is a Modbus/TCP to serial communication gateway that integrates Ethernet and serial Modbus devices. The Moxa NPort 5100 series and 6000 series devices are serial-to-Ethernet converters that can be used to connect serial devices to an Ethernet network.
ICS-CERT is coordinating with Moxa and security researcher to identify mitigations. Moxa is planning to release a new firmware version in late-August 2016 for the NPort 5100 and 6000 series devices, which will address the unauthenticated retrievable of sensitive account information, unauthenticated remote firmware update, and the cross-site request forgery vulnerabilities. Moxa has not yet been able to validate the buffer overflow and cross-site scripting vulnerabilities identified in the public reporting.
Moxa said the Moxa NPort 6110 has been discontinued and will not have patches released to address these vulnerabilities. Moxa recommends customers using legacy devices should upgrade the affected devices.