Chemical Safety Incidents
Moxa RTU Controller Vulnerabilities
Friday, August 14, 2015 @ 02:08 PM gHale
There is a report of vulnerabilities affecting the Moxa ioLogik E2210 Ethernet Micro RTU controller, according to a report on ICS-CERT.
The Moxa ioLogik E2210 Ethernet Micro RTU controller is a PC-based data acquisition and control device. According to this report, the device’s password can transmit with HTTP and can also store in the cookie. The transmitted password also has weak encryption with MD5 making it vulnerable to cracking.
Aditya K. Sood discovered the vulnerabilities and presented them at DefCon 2015 in Las Vegas.
He reported these vulnerabilities to ICS-CERT a few days before his presentation so the vendor was aware of the issue but has not had time to address it. ICS CERT notified the affected vendor of the report and has asked it to confirm the vulnerabilities and identify mitigations. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks.
The disclosure included vulnerability details for the following vulnerability:
• Password transmitted unsecurely with weak encryption, which could lead to unauthorized access and replay attacks
• Client-side encrypted password, which could lead to unauthorized access to the device
• Weakly hashed password contained in the HTTP cookie, which could lead to unauthorized access to the device
All vulnerabilities, except the client-side encrypted password, are remotely exploitable.