Cisco Finds Moxa Vulnerabilities

Wednesday, April 12, 2017 @ 09:04 AM gHale

Moxa fixed flaws found by Cisco’s Talos intelligence and research group which conducted a two-week analysis of an industrial wireless access point (AP).

The research found over a dozen vulnerabilities, including ones that can be exploited to take full control of a device.

Schneider Limits Modicon Holes
Certec EDV Clears Scada Holes
Schneider Clears SCADA Software Issue
Marel Food Processing Systems

All flaws ended up fixed by Moxa, except for one critical weakness, whose details will not be disclosed until a patch becomes available.

Talos concentrated on Moxa’s AWK-3131A AP, which is recommended for any type of industrial wireless application, said Martin Lee and Warren Mercer in a blog post based on research conducted by Patrick DeSantis.

On the first day of testing, researchers identified the services available on the BusyBox-powered device, including SSH (Dropbear), Telnet, HTTP and HTTPS. Talos said Moxa agreed to share the source code of its BusyBox implementation for proper analysis.

Researchers first identified authentication issues that made it easy for attackers to launch dictionary attacks against the web interface’s login page, and flaws that allowed hackers to hijack user sessions.

On the third day of the investigation, researchers found cross-site scripting (XSS) vulnerabilities in the front-end of the web interface. These flaws can end up exploited to hijack user sessions and gain access to the web interface.

Once they are authenticated, attackers can exploit one of the several command injection vulnerabilities to gain full control of the targeted AP.

Several of the security holes found by Talos can allow attackers to obtain potentially valuable information without any authentication, including passwords, firewall rules and network configuration data.

The researchers also uncovered a denial-of-service (DoS) vulnerability that can end up exploited remotely to crash the web application.

On the last day of testing, researchers identified several cryptography-related issues. They found the Moxa AP used an outdated version of OpenSSL (1.0.0d from 2011) and it was vulnerable to attacks such as POODLE and DROWN.

“Our research demonstrates how many vulnerabilities can be quickly discovered by analyzing a device,” Lee and Mercer said in their post. “There is nothing to suggest that this device is more or less vulnerable than any other. Indeed, the vulnerabilities we discovered are exactly the types of vulnerabilities likely to be discovered on any ICS device.”

Leave a Reply

You must be logged in to post a comment.