Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities
2018-04-13T00:00:00
ID TALOS-2017-0474 Type talos Reporter Talos Intelligence Modified 2018-04-13T00:00:00
Description
Talos Vulnerability Report
TALOS-2017-0474
Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities
April 13, 2018
CVE Number
CVE-2017-14435, CVE-2017-14436, CVE-2017-14437
Summary
An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to “/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini” without a cookie header to trigger this vulnerability.
This device is marketed as a secure ICS (Industrial Control System) router. This device will likely be found in industrial environments such as power generation/distribution, water treatment, manufacturing, etc. This specific vulnerability causes the web server to crash.
A GET request to /MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini without a cookie header will cause the binary to crash. Authentication is not required for this vulnerability.
CVE-2017-14435 - /MOXA_CFG.ini
In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B544 LDR R0, [R11,#s1] ; s1 .text:0001B548 LDR R1, =aMoxa_cfg_ini_0 ; “/MOXA_CFG.ini” .text:0001B54C BL strcmp
CVE-2017-14436 - /MOXA_CFG2.ini
In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B55C LDR R0, [R11,#s1] ; s1 .text:0001B560 LDR R1, =aMoxa_cfg2_ini ; “/MOXA_CFG2.ini” .text:0001B564 BL strcmp
CVE-2017-14437 - /MOXA_LOG.ini
In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B574 LDR R0, [R11,#s1] ; s1 .text:0001B578 LDR R1, =aMoxa_log_ini_0 ; “/MOXA_LOG.ini” .text:0001B57C BL strcmp
Exploit Proof-of-Concept
curl -v 192.168.127.254/MOXA_LOG.ini OR
curl -v 192.168.127.254/MOXA_CFG.ini OR
curl -v 192.168.127.254/MOXA_CFG2.ini
Timeline
2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release
Credit
Discovered by Carlos Pacho of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2017-0475
Previous Report
TALOS-2017-0473
{"id": "TALOS-2017-0474", "bulletinFamily": "info", "title": "Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities", "description": "# Talos Vulnerability Report\n\n### TALOS-2017-0474\n\n## Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities\n\n##### April 13, 2018\n\n##### CVE Number\n\nCVE-2017-14435, CVE-2017-14436, CVE-2017-14437\n\n### Summary\n\nAn exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to \u201c/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini\u201d without a cookie header to trigger this vulnerability.\n\n### Tested Versions\n\nMoxa EDR-810 V4.1 build 17030317\n\n### Product URLs\n\n<https://www.moxa.com/product/EDR-810.htm>\n\n### CVSSv3 Score\n\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### CWE\n\nCWE-476 - NULL Pointer Dereference\n\n### Details\n\nThis device is marketed as a secure ICS (Industrial Control System) router. This device will likely be found in industrial environments such as power generation/distribution, water treatment, manufacturing, etc. This specific vulnerability causes the web server to crash.\n\nA GET request to /MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini without a cookie header will cause the binary to crash. Authentication is not required for this vulnerability.\n\n#### CVE-2017-14435 - /MOXA_CFG.ini\n\nIn the following code snippet, R0 is nil if the cookie header is not set. .text:0001B544 LDR R0, [R11,#s1] ; s1 .text:0001B548 LDR R1, =aMoxa_cfg_ini_0 ; \u201c/MOXA_CFG.ini\u201d .text:0001B54C BL strcmp\n\n#### CVE-2017-14436 - /MOXA_CFG2.ini\n\nIn the following code snippet, R0 is nil if the cookie header is not set. .text:0001B55C LDR R0, [R11,#s1] ; s1 .text:0001B560 LDR R1, =aMoxa_cfg2_ini ; \u201c/MOXA_CFG2.ini\u201d .text:0001B564 BL strcmp\n\n#### CVE-2017-14437 - /MOXA_LOG.ini\n\nIn the following code snippet, R0 is nil if the cookie header is not set. .text:0001B574 LDR R0, [R11,#s1] ; s1 .text:0001B578 LDR R1, =aMoxa_log_ini_0 ; \u201c/MOXA_LOG.ini\u201d .text:0001B57C BL strcmp\n\n### Exploit Proof-of-Concept\n \n \n curl -v 192.168.127.254/MOXA_LOG.ini OR\n curl -v 192.168.127.254/MOXA_CFG.ini OR \n curl -v 192.168.127.254/MOXA_CFG2.ini\n \n\n### Timeline\n\n2017-11-15 - Vendor Disclosure \n2017-11-19 - Vendor Acknowledged \n2017-12-25 - Vendor provided timeline for fix (Feb 2018) \n2018-01-04 - Timeline pushed to mid-March per vendor \n2018-03-24 - Talos follow up with vendor for release timeline \n2018-03-26 - Timeline pushed to 4/13/18 per vendor \n2018-04-12 - Vendor patched & published new firmware on website \n2018-04-13 - Public Release\n\n##### Credit\n\nDiscovered by Carlos Pacho of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0475\n\nPrevious Report\n\nTALOS-2017-0473\n", "published": "2018-04-13T00:00:00", "modified": "2018-04-13T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0474", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2017-14437", "CVE-2017-14436", "CVE-2017-14435"], "type": "talos", "lastseen": "2020-07-01T21:24:58", "edition": 7, "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "seebug", "idList": ["SSV:97225"]}, {"type": "cve", "idList": ["CVE-2017-14436", "CVE-2017-14437", "CVE-2017-14435"]}, {"type": "talosblog", "idList": ["TALOSBLOG:A234F8456A3CCBBC3F469D5F49D64E29"]}], "modified": "2020-07-01T21:24:58", "rev": 2}, "score": {"value": 5.2, "vector": "NONE", "modified": "2020-07-01T21:24:58", "rev": 2}, "vulnersScore": 5.2}, "scheme": null}
{"seebug": [{"lastseen": "2018-06-26T22:14:39", "description": "### Summary\r\nAn exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to \"/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini\" without a cookie header to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nMoxa EDR-810 V4.1 build 17030317\r\n\r\n### Product URLs\r\nhttps://www.moxa.com/product/EDR-810.htm\r\n\r\n### CVSSv3 Score\r\n7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\r\n\r\n### CWE\r\nCWE-476 - NULL Pointer Dereference\r\n\r\n### Details\r\nThis device is marketed as a secure ICS (Industrial Control System) router. This device will likely be found in industrial environments such as power generation/distribution, water treatment, manufacturing, etc. This specific vulnerability causes the web server to crash.\r\n\r\nA GET request to /MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini without a cookie header will cause the binary to crash. Authentication is not required for this vulnerability.\r\n\r\n### CVE-2017-14435 - /MOXA_CFG.ini\r\nIn the following code snippet, R0 is nil if the cookie header is not set.\r\n```\r\n.text:0001B544 LDR R0, [R11,#s1] ; s1\r\n.text:0001B548 LDR R1, =aMoxa_cfg_ini_0 ; \"/MOXA_CFG.ini\"\r\n.text:0001B54C BL strcmp\r\n```\r\n\r\n### CVE-2017-14436 - /MOXA_CFG2.ini\r\nIn the following code snippet, R0 is nil if the cookie header is not set.\r\n```\r\n.text:0001B55C LDR R0, [R11,#s1] ; s1\r\n.text:0001B560 LDR R1, =aMoxa_cfg2_ini ; \"/MOXA_CFG2.ini\"\r\n.text:0001B564 BL strcmp\r\n```\r\n\r\n### CVE-2017-14437 - /MOXA_LOG.ini\r\nIn the following code snippet, R0 is nil if the cookie header is not set.\r\n```\r\n.text:0001B574 LDR R0, [R11,#s1] ; s1\r\n.text:0001B578 LDR R1, =aMoxa_log_ini_0 ; \"/MOXA_LOG.ini\"\r\n.text:0001B57C BL strcmp\r\n```\r\n\r\n### Exploit Proof-of-Concept\r\n```\r\ncurl -v 192.168.127.254/MOXA_LOG.ini\r\n```\r\nOR\r\n```\r\ncurl -v 192.168.127.254/MOXA_CFG.ini\r\n```\r\nOR\r\n```\r\ncurl -v 192.168.127.254/MOXA_CFG2.ini\r\n```\r\n### Timeline\r\n* 2017-11-15 - Vendor Disclosure\r\n* 2017-11-19 - Vendor Acknowledged\r\n* 2017-12-25 - Vendor provided timeline for fix (Feb 2018)\r\n* 2018-01-04 - Timeline pushed to mid-March per vendor\r\n* 2018-03-24 - Talos follow up with vendor for release timeline\r\n* 2018-03-26 - Timeline pushed to 4/13/18 per vendor\r\n* 2018-04-12 - Vendor patched & published new firmware on website\r\n* 2018-04-13 - Public Release", "published": "2018-04-16T00:00:00", "type": "seebug", "title": "Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities(CVE-2017-14435 - CVE-2017-14437)", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-14435", "CVE-2017-14436", "CVE-2017-14437"], "modified": "2018-04-16T00:00:00", "id": "SSV:97225", "href": "https://www.seebug.org/vuldb/ssvid-97225", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": ""}], "cve": [{"lastseen": "2020-10-03T13:07:35", "description": "An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to \"/MOXA\\_CFG2.ini\" without a cookie header to trigger this vulnerability.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-05-14T20:29:00", "title": "CVE-2017-14436", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14436"], "modified": "2018-06-18T14:22:00", "cpe": ["cpe:/o:moxa:edr-810_firmware:4.1"], "id": "CVE-2017-14436", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14436", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:moxa:edr-810_firmware:4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:35", "description": "An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to \"/MOXA\\_CFG.ini\" without a cookie header to trigger this vulnerability.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-05-14T20:29:00", "title": "CVE-2017-14435", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14435"], "modified": "2018-06-15T18:57:00", "cpe": ["cpe:/o:moxa:edr-810_firmware:4.1"], "id": "CVE-2017-14435", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14435", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:moxa:edr-810_firmware:4.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T13:07:35", "description": "An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to \"/MOXA\\_LOG.ini\" without a cookie header to trigger this vulnerability.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-05-14T20:29:00", "title": "CVE-2017-14437", "type": "cve", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14437"], "modified": "2018-06-15T18:59:00", "cpe": ["cpe:/o:moxa:edr-810_firmware:4.1"], "id": "CVE-2017-14437", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14437", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:moxa:edr-810_firmware:4.1:*:*:*:*:*:*:*"]}], "talosblog": [{"lastseen": "2018-05-06T18:56:20", "bulletinFamily": "blog", "cvelist": ["CVE-2017-12120", "CVE-2017-12121", "CVE-2017-12123", "CVE-2017-12124", "CVE-2017-12125", "CVE-2017-12126", "CVE-2017-12127", "CVE-2017-12128", "CVE-2017-12129", "CVE-2017-14432", "CVE-2017-14435", "CVE-2017-14438"], "description": "_These vulnerabilities were discovered by Carlos Pacho of Cisco Talos_ \n \nToday, Talos is disclosing several vulnerabilities that have been identified in Moxa EDR-810 industrial secure router. \n \nMoxa EDR-810 is an industrial secure router with firewall/NAT/VPN and managed Layer 2 switch functions. It is designed for Ethernet-based security applications in remote control or monitoring networks. Moxa EDR-810 provides an electronic security perimeter for the protection of critical assets such as pumping/ treatment systems in water stations, DCS systems in oil and gas applications, and PLC/SCADA systems in factory automation. \n \nMoxa has released an [updated version](<https://www.moxa.com/support/download.aspx?type=support&id=15851>) of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue. \n \n \n\n\n## Vulnerability Details\n\n### TALOS-2017-0472 (CVE-2017-12120) Moxa EDR-810 Web Server ping Command Injection Vulnerability\n\n \n[TALOS-2017-0472](<http://www.talosintelligence.com/reports/TALOS-2017-0472>) is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker may be able to inject OS commands into the ifs= parm in the \"/goform/net_WebPingGetValue\" uri to trigger this vulnerability and take control over the targeted device. \n \n\n\n### TALOS-2017-0473 (CVE-2017-12121) Moxa EDR-810 Web RSA Key Generation Command Injection Vulnerability\n\n \n[TALOS-2017-0473](<http://www.talosintelligence.com/reports/TALOS-2017-0473>) is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST can cause a privilege escalation resulting in attacker having access to a root shell. An attacker can inject OS commands into the rsakey\\\\_name= parm in the \"/goform/WebRSAKEYGen\" uri to trigger this vulnerability and take control over the targeted device. \n \n\n\n### TALOS-2017-0474 (CVE-2017-14435 to 14437) Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities\n\n \n[TALOS-2017-0474](<http://www.talosintelligence.com/reports/TALOS-2017-0474>) describes three separate exploitable denial of service vulnerabilities that exist in the web server functionality of Moxa EDR-810. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to \"/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini\" without a cookie header to trigger this vulnerability. \n \n\n\n### TALOS-2017-0475 (CVE-2017-12123) Moxa EDR-810 Cleartext Transmission of Password Vulnerability\n\n \n[TALOS-2017-0475](<http://www.talosintelligence.com/reports/TALOS-2017-0475>) is an exploitable clear text transmission of password vulnerability that exists in the web server and telnet functionality of Moxa EDR-810. An attacker may be able to inspect network traffic to retrieve the administrative password for the device. The attacker may then use the credentials to login into the device web management console as the device administrator. \n \n\n\n### TALOS-2017-0476 (CVE-2017-12124) Moxa EDR-810 Web Server URI Denial of Service Vulnerability\n\n \n[TALOS-2017-0476](<http://www.talosintelligence.com/reports/TALOS-2017-0476>) is an exploitable denial of service vulnerability that exists in the web server functionality of Moxa EDR-810. Access to a specially crafted HTTP URI can cause a null pointer dereference resulting in the web server crashing. An attacker can send a crafted URI to trigger this vulnerability. \n \n\n\n### TALOS-2017-0477 (CVE-2017-12125) Moxa EDR-810 Web Server Certificate Signing Request Command Injection Vulnerability\n\n \n[TALOS-2017-0477](<http://www.talosintelligence.com/reports/TALOS-2017-0477>) is an exploitable command injection vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST request can cause a privilege escalation resulting in access to root shell. An attacker may be able to inject OS commands into the CN= parm in the \"/goform/net_WebCSRGen\" uri to trigger this vulnerability. \n \n\n\n### TALOS-2017-0478 (CVE-2017-12126) Moxa EDR-810 Web Server Cross-Site Request Forgery Vulnerability\n\n \n[TALOS-2017-0478](<http://www.talosintelligence.com/reports/TALOS-2017-0478>) is an exploitable cross-site request forgery (CSRF) vulnerability that exists in the web server functionality of Moxa EDR-810. A specially crafted HTTP request can trigger a CSFR vulnerability which may allow the attacker to change the device configuration. An attacker can create a malicious html code to trigger this vulnerability and entice the user to execute the malicious code. \n \n\n\n### TALOS-2017-0479 (CVE-2017-12127) Moxa EDR-810 Plaintext Password Storage Vulnerability\n\n \n[TALOS-2017-0479](<http://www.talosintelligence.com/reports/TALOS-2017-0479>) is a password storage vulnerability that exists in the operating system functionality of Moxa EDR-810. The device stores credentials in plaintext in /magicP/cfg4.0/cfg_file/USER_ACCOUNT.CFG. This file mirrors the contents of /etc/shadow, except that all the passwords are stored in plaintext. \n \n\n\n### TALOS-2017-0480 (CVE-2017-12128) Moxa EDR-810 Server Agent Information Disclosure Vulnerability\n\n \n[TALOS-2017-0480](<http://www.talosintelligence.com/reports/TALOS-2017-0480>) is an exploitable information disclosure vulnerability that exists in the Server Agent functionality of Moxa EDR-810. A specially crafted TCP packet can cause the device to leak data and result in an information disclosure. An attacker may be able to send a specially crafted TCP packet to trigger this vulnerability. \n \n\n\n### TALOS-2017-0481 (CVE-2017-12129) Moxa EDR-810 Web Server Weak Cryptography for Passwords Vulnerability\n\n \n[TALOS-2017-0481](<http://www.talosintelligence.com/reports/TALOS-2017-0481>) is an exploitable Weak Cryptography for Passwords vulnerability that exists in the web server functionality of Moxa EDR-810. After the initial login, each authenticated request sends a HTTP packet with a MD5 hash of the password. This hash is not salted and can be cracked, revealing the device's password. \n \n\n\n### TALOS-2017-0482 (CVE-2017-14432 to 14434) Moxa EDR-810 Web Server OpenVPN Config Multiple Command Injection Vulnerabilities\n\n \n[TALOS-2017-0482](<http://www.talosintelligence.com/reports/TALOS-2017-0482>) describes multiple exploitable command injection vulnerabilities that exist in the web server functionality of Moxa EDR-810. A specially crafted HTTP POST request may cause a privilege escalation resulting in an attacker having access to a root shell. An attacker may be able to inject OS commands into various parameters in the \"/goform/net_Web_get_value\" uri to trigger this vulnerability. \n \n\n\n### TALOS-2017-0487 (CVE-2017-14438 and 14439) Moxa EDR-810 Service Agent Multiple Denial of Service\n\n \n[TALOS-2017-0487](<http://www.talosintelligence.com/reports/TALOS-2017-0487>) describes two exploitable denial of service vulnerabilities that exist in the Service Agent functionality of Moxa EDR-810. A specially crafted packet can cause a denial of service. An attacker may be able to send a large packet to tcp ports 4000 or 4001 to trigger this vulnerability. \n \nFor the full technical details of these vulnerabilities, please refer to the vulnerability advisories that are posted on our website: \n \n[http://www.talosintelligence.com/vulnerability-reports/](<https://www.google.com/url?q=http://www.talosintelligence.com/vulnerability-reports/&sa=D&ust=1523558764918000>) \n \n\n\n### Affected versions\n\n \nThe discovered vulnerabilities have been confirmed in Moxa EDR-810 V4.1 build 17030317 but they may also affect earlier versions of the product. \n \n\n\n## Discussion\n\n \nIndustrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, are used in industries such as energy providers, manufacturing and critical infrastructure providers in order to control and monitor various aspects of various industrial processes. ICS systems employ many mechanisms and protocols also used in traditional IT systems and networks. \n \nAlthough some characteristics of traditional IT systems and ICS are similar, ICS also have characteristics that differ in their service level and performance requirements. Many of these differences come from the fact that ICS has a direct effect on the physical world which may also include a risk to the health and safety of the population and a potential to cause damage to the environment. For that reason ICS have unique reliability requirements and may use real-time operating systems and applications that would not be used in everyday IT environments. \n \nOne of the pillars of ICS security, as well as the security of traditional IT networks, is restricting access to network activity. This may include unidirectional gateways, a demilitarized zone (DMZ) network architecture with firewalls and separate authentication mechanisms and credentials for users of corporate and ICS networks. \n \nICS devices, including firewalls that secure networks, run software which can contain vulnerabilities and serve as a pathway that may allow attackers to take advantage and intrude into an ICS network environment. \n \nCisco Talos vulnerability research team also focuses on non traditional computing environments, including ICS, to find previously unknown vulnerabilities and work with vendors to responsibly disclose them while allowing the vendor enough time to improve security of the products by fixing the discovered vulnerabilities. \n \nMoxa EDR-810 is one of the devices specialized in providing firewalls specifically designed to function within ICS infrastructure and provide network security to ICS processes. Cisco Talos researchers have discovered several vulnerabilities affecting the security of the product. Moxa EDR-810 users are recommended to update the software as soon as possible to avoid their ICS environment potentially being exploited by attackers. \n \n\n\n## Coverage\n\n \nThe following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org. \n \nSnort Rules: \n \n\n\n * 31939, 40880, 44835-44837, 44840-44842, 44847-44852, 44855, 44858\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=dNMKguKXjWw:nGXvtU2AjLo:yIl2AUoC8zA>)\n\n", "modified": "2018-04-13T16:03:59", "published": "2018-04-13T08:57:00", "id": "TALOSBLOG:A234F8456A3CCBBC3F469D5F49D64E29", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/dNMKguKXjWw/vuln-moxa-edr-810.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple Vulnerabilities in Moxa EDR-810 Industrial Secure Router", "cvss": {"score": 0.0, "vector": "NONE"}}]}
