Security researchers have discovered a total of eight vulnerabilities in NPort serial device servers produced by Taiwan-based industrial automation solutions provider Moxa, ICS-CERT reported on Thursday.
The flaws discovered by Reid Wightman, Mikael Vingaard and Maxim Rupp affect more than a dozen NPort models.
Three of the security holes have a CVSS score of 9.8, which puts them in the critical severity category. They can be exploited to retrieve an administrator password without authentication, update the device’s firmware over the network without authentication and potentially achieve code execution, and use brute force to bypass authentication.
The high-severity vulnerabilities can be exploited to remotely execute arbitrary code, to launch cross-site request forgery (CSRF) attacks, and cause a denial-of-service (DoS) condition. The remaining flaws are medium-severity cross-site scripting (XSS) and plaintext password storage issues.
Moxa has released firmware updates for most of the affected NPort devices, except for one model that was discontinued in 2008. The company has advised customers to install the updates.
Vulnerabilities in Siemens, Mitsubishi Electric and Advantech Products
Researchers from Russia-based security companies Positive Technologies and Kaspersky Lab discovered that Siemens’ SICAM PAS energy automation software has two high severity and two critical flaws.
The critical weaknesses can be leveraged by an attacker on the network to obtain privileged access to the product’s database using a hardcoded password, and to cause a DoS condition and possibly execute arbitrary code. The other flaws can be used by a local attacker to recover the database password, and by a network attacker to download, upload or delete files in certain parts of the system.
Siemens released SICAM PAS 8.00 to address the password-related issues. The other security holes require access to certain ports, which organizations should block from their firewall until a patch is made available. ICS-CERT’s advisory seems to contain some inaccuracies, but Siemens has published an advisory of its own.
Kaspersky researchers also identified a couple of high severity flaws in Mitsubishi Electric’s MELSEC-Q programmable logic controllers (PLCs). The vulnerabilities affect QJ71E71 ethernet interface modules and they are related to weak encryption and improperly restricted remote access functionality.
Andrea Micalizzi, known online as “rgod,” discovered high severity information disclosure, path traversal and privilege escalation issues in Advantech’s SUSIAccess product, which is designed for building custom intelligent systems. The vendor has replaced SUSIAccess with the WISE-PaaS integrated IoT platform software services and customers have been advised to migrate to the new product.