Moxa EDR-810 Web Server Weak Cryptography for Passwords Vulnerability

Summary

An exploitable Weak Cryptography for Passwords vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. An attacker could intercept weakly encrypted passwords and could brute force them.

Tested Versions

Moxa EDR-810 V4.1 build 17030317

Product URLs

<https://www.moxa.com/product/EDR-810.htm&gt;

CVSSv3 Score

3.5 - CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-216 - Weak Cryptography for Passwords

Details

After the initial login, each authenticated request sends a HTTP packet with a MD5 hash of the password. This hash is not salted and can be cracked, revealing the device’s password.

Exploit Proof-of-Concept

In the Cookie there is a PASSWORD= parameter. This parameter contain a MD5 of the users password.

GET /overview.asp HTTP/1.1
Host: 192.168.127.254
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.127.254/home.asp?action=go
Cookie: sysnotify_support=yes; sysnotify_loginStatus=initial; lasttime=1506954769474; NAME=admin; PASSWORD=1cf17e0c60ed7ecb0977fdfc0e218c65; AUTHORITY=0; Auto-Logout_Time=3600000; sessionID=2933537563
Connection: keep-alive

Timeline

2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release