Moxa OnCell Security Vulnerabilities

Thursday, November 3, 2016 @ 07:11 PM gHale


Moxa created a new version to mitigate authorization bypass and disclosed OS commanding vulnerabilities in its OnCell Security Software, according to a report with ICS-CERT.

These vulnerabilities, discovered by independent researcher Maxim Rupp, are remotely exploitable.

RELATED STORIES
Schneider Working to Mitigate HMI Holes
Schneider Power Meter Issues
ConneXium Firewall Buffer Overflow
IBHsoftec Clears Buffer Overflow

The following Moxa OnCell versions suffer from the issue:
• OnCellG3470A-LTE
• AWK-1131A/3131A/4131A Series
• AWK-3191 Series
• AWK-5232/6232 Series
• AWK-1121/1127 Series
• WAC-1001 V2 Series
• WAC-2004 Series
• AWK-3121-M12-RTG Series
• AWK-3131-M12-RCC Series
• AWK-5232-M12-RCC Series
• TAP-6226 Series
• AWK-3121/4121 Series
• AWK-3131/4131 Series
• AWK-5222/6222 Series

An unauthorized user could download files by accessing a specific URL. An unauthenticated user is able to execute arbitrary command by web console.

Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the U.S., UK, India, Germany, France, China, Russia, and Brazil.

The affected product, OnCell Security Software, is cellular IP gateways that can connect serial or Ethernet devices to a cellular network. OnCell Security Software sees action across several sectors including commercial facilities, critical manufacturing, energy, and transportation systems. Moxa estimates this product sees use primarily in Asia and Europe.

Any user is able to download log files by accessing a specific URL. CVE-2016-8362 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

In addition, a user is able to execute arbitrary OS commands on the server.

CVE-2016-8363 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.

Moxa recommends users disable HTTP/HTTPS after completing required configuration through web browser interface. Users can access via SNMP to enable HTTP/HTTPS if needed. If remote control or monitoring is required, users should enable “IP Protocol Filter” feature of OnCell/AWK products to prevent any unauthorized access to the administrative web management interface.

Moxa has developed the following patch plan for a product and its future release date:
• OnCellG3470A-LTE, November 1
• AWK-1131A/3131A/4131A Series, November 1
• AWK-3191 Series, May 31, 2017
• AWK-5232/6232 Series, May 31, 2017
• AWK-1121/1127 Series, June 30, 2017
• WAC-1001 V2 Series, June 30, 2017
• WAC-2004 Series, June 30, 2017
• AWK-3121-M12-RTG Series, June 30, 2017
• AWK-3131-M12-RCC Series, June 30, 2017
• AWK-5232-M12-RCC Series, June 30, 2017

No future updates are planned for the following models:
• TAP-6226 Series
• AWK-3121/4121 Series
• AWK-3131/4131 Series
• AWK-5222/6222 Series

Users should contact Moxa for further assistance.



Leave a Reply

You must be logged in to post a comment.