Flaws affecting Moxa’s MiiNePort embedded serial device servers can be exploited remotely to gain control of vulnerable systems. The vendor has released firmware updates to address the security holes.
ICS-CERT informed organizations last week that MiiNePort E1, E2 and E3 devices are affected by two vulnerabilities. One of them, tracked as CVE-2016-9344, can be exploited to brute-force an active session cookie and download a device’s configuration file.
The second weakness, tracked as CVE-2016-9346, refers to the fact that the configuration data is stored in a file without being encrypted.
Aditya K. Sood, the researcher who discovered the vulnerabilities, told SecurityWeek that the exposed configuration files contain sensitive information, including the administrator password, which could allow an attacker to gain unrestricted privileges and access to the device.
According to the researcher, CVE-2016-9344 allows an attacker to download the configuration file remotely from the Internet if the targeted user has an active session on the device.
“The Moxa device emits ‘Server: MoxaHttp/’ on TCP port 80 or any other web port. A simple web scanner with filtering of these headers can help detect systems on the web,” Sood explained.
While the researcher has not conducted any mass Internet scans, he did identify a few hundred externally-accessible devices using the Shodan search engine. Other vulnerable devices are likely not exposed to the Internet, requiring the attacker to have network access.
Moxa patched the vulnerabilities with the release of firmware versions 1.8 (MiiNePort E1), 1.4 (MiiNePort E2) and 1.1 (MiiNePort E3) nearly five months after learning of their existence.
Sood has released proof-of-concept (PoC) exploits and a video showing how the attack works: