Talos Vulnerability Report

TALOS-2022-1618

Moxa SDS-3008 Series Industrial Ethernet Switch web server denial of service vulnerability

February 2, 2023

CVE Number

CVE-2022-40224

SUMMARY

A denial of service vulnerability exists in the web server functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted HTTP message header can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Moxa SDS-3008 Series Industrial Ethernet Switch 2.1

PRODUCT URLS

SDS-3008 Series Industrial Ethernet Switch - <https://www.moxa.com/en/products/industrial-network-infrastructure/ethernet-switches/layer-2-smart-switches/sds-3008-series&gt;

CVSSv3 SCORE

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-410 - Insufficient Resource Pool

DETAILS

The SDS-3008 is an 8-port smart Ethernet switch designed for industrial environments. In addition to standard smart switch functionality such as IEEE 802.1Q VLAN, port mirroring and SNMP, the SDS-3008 also implements variations of EtherNet/IP, PROFINET and Modbus TCP to support management functions. The switch is primarily managed via a web application.

An HTTP request to port 443 that does not contain two empty lines between the message header and message body will result in termination of the web server thread, leading to a Denial of Service (DoS) condition.

RFC 2616 (Hypertext Transfer Protocol, or HTTP/1.1) defines a carriage return (CR) followed by linefeed (LF) (CRFL) as “the end-of-line marker for all protocol elements except the entity-body.” The specification establishes that an HTTP message should contain “a start-line, zero or more header fields (also known as “headers”), an empty line (i.e., a line with nothing preceding the CRLF) indicating the end of the header fields, and possibly a message-body.”

generic-message = start-line
*(message-header CRLF)
CRLF
[ message-body ]
start-line      = Request-Line | Status-Line

An HTTP message to port 443 that does not contain both the message-header CRLF and the “empty line” CRLF will crash the web server. The operating system thread in which the web server is running will be terminated, and no new connections will be accepted on ports 80 and 443. After several minutes, the device operating system will restart the web server in a new thread.

Exploit Proof of Concept

A very basic HTTP request may look something like the below example, with a message start line (GET), header field (Host:), message-header CRLF (\r\n) and “empty line” CRLF (\r\n):

GET / HTTP/1.1
Host: 192.168.127.253
\r\n\r\n

The below HTTP GET request, which is identical to the above request with the exception of the absense of one of the expected CRLF (\r\n), will result in a web server Denial of Service when sent to port 443:

GET / HTTP/1.1
Host: 192.168.127.253
\r\n

TIMELINE

2022-10-14 - Vendor Disclosure
2022-10-14 - Initial Vendor Contact
2023-02-02 - Public Release
2023-02-02 - Vendor Patch Release

Credit

Discovered by Patrick DeSantis of Cisco Talos.

---

Vulnerability Reports Next Report

TALOS-2022-1621

Previous Report

TALOS-2022-1619