Moxa NPort Device Vulnerabily Update
Thursday, April 21, 2016 @ 02:04 PM gHale
Moxa now validated all five of the previously reported NPort Device vulnerabilities, according to a report on ICS-CERT.
The five vulnerabilities include unauthenticated retrievable sensitive account information, unauthenticated remote firmware updates, buffer overflow allowing arbitrary remote code execution, cross-site scripting, and cross-site request forgery.
ICS-CERT is aware of a public report of vulnerabilities affecting multiple models of the Moxa NPort device. Reid Wightman of Digital Bonds Labs reported the vulnerabilities and coordinated them with the vendor but not with ICS-CERT.
In addition, Moxa identified additional NPort models affected by the reported vulnerabilities.
Moxa confirmed the following NPort devices suffer from the reported vulnerabilities:
• Moxa NPort 5100 series
• Moxa NPort 5200 series
• Moxa NPort 5400 series
• Moxa NPort 5600 series
• Moxa NPort 5600-DT/DTL series
• Moxa NPort 5100A series
• Moxa NPort 5200A series
• Moxa NPort P5150A series
• Moxa NPort 5x50AI-M12 series
• Moxa NPort 6000 series
• Moxa NPort 6110 series
The publicly disclosed vulnerabilities in the Moxa NPort devices include unauthenticated retrievable sensitive account information, which may allow a remote attacker to gain administrator privileges on the affected systems.
The firmware of the affected devices can end up updated over the network without authenticating, which may allow a remote attacker to completely compromise the system.
Exploitation of the buffer overflow vulnerability may allow an unauthenticated attacker to execute arbitrary code remotely.
The cross-site scripting vulnerability may allow an authenticated party to insert malicious code into webpages allowing malicious code to be executed by a web browser.
The cross-site request forgery vulnerability may allow an attacker to trick a user into executing unwanted actions on a web application to which the user has authenticated.
At this time, there is no publicly available exploit code that exploits the identified vulnerabilities.
Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the U.S., UK, India, Germany, France, China, Russia, and Brazil.
Moxa is planning to release a new firmware version in late-August 2016 that will address the five reported vulnerabilities in all the affected NPort devices, except for the NPort 6110. Moxa has reported they discontinued the NPort 6110 device in December 2008 and will not have patches released to address these vulnerabilities.
Moxa recommends customers using the NPort 6110 should upgrade the affected device.
Moxa also recommends disabling Ports 80/TCP (HTTP), 443/TCP (HTTPS), 22/TCP (SSH), and 23/TCP (TELNET). Moxa indicates users should ensure Ports 161/UDP, 4800/UDP, and 4900/TCP are only accessible by trusted systems and restricting access to Ports 4800/UDP and 4900/TCP will impact remote systems administration.