Moxa Patches ioLogik Controllers
Friday, March 4, 2016 @ 05:03 PM gHale
Moxa created a network security enhancement to mitigate weak authentication vulnerabilities in its ioLogik E2200 Ethernet Micro RTU controllers, according to a report on ICS-CERT.
Exploits that target these remotely exploitable vulnerabilities, discovered by independent researcher Aditya Sood, are publicly available.
The vulnerabilities affect the following versions of ioLogik:
• ioLogik E2200 series, versions prior to 3.12, and
• ioAdmin Configuration Utility, versions prior to 3.18
An attacker could exploit these vulnerabilities to gain access to the device to change settings and data on the target device.
Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the U.S., UK, India, Germany, France, China, Russia, and Brazil.
The affected product, ioLogik E2200 series, is a micro RTU controller for use in monitoring and control. ioLogik sees action across several sectors, including commercial facilities and energy. Moxa estimates these products sees use primarily in the United States, Europe, and Asia.
The device transmits or stores authentication credentials not sufficiently encrypted.
CVE-2016-2282 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.
Also, the device stores or transmits sensitive data using an encryption scheme that is not strong enough for the level of protection required.
CVE-2016-2283 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
Exploits that target these vulnerabilities are publicly available. An attacker with a low skill would be able to exploit these vulnerabilities.
MOXA created new firmware versions with improved password encryption between the ioAdmin utility and the ioLogik E2200 device to mitigate these vulnerabilities.
Moxa recommends installing these two network security enhancements:
Moxa also recommends customers use a secured router or a VPN tunnel to protect internet communication.