Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Moxa NPort Devices Vulnerable to Remote Attacks

Hundreds of Moxa Devices Similar to Ones Targeted in Ukraine Power Grid Hack Vulnerable to Remote Attacks

Hundreds of Moxa Devices Similar to Ones Targeted in Ukraine Power Grid Hack Vulnerable to Remote Attacks

Firmware updates released by Moxa for some of its NPort serial device servers patch several high severity vulnerabilities that can be exploited remotely. These types of devices were targeted in the 2015 attack on Ukraine’s energy sector.

According to an advisory published by ICS-CERT, the flaws affect NPort 5110 versions 2.2, 2.4, 2.6 and 2.7, NPort 5130 version 3.7 and prior, and NPort 5150 version 3.7 and prior. The security holes have been patched with the release of version 2.9 for NPort 5110 and version 3.8 for NPort 5130 and 5150.

ICS-CERT said one of the vulnerabilities, CVE-2017-16719, allows an attacker to inject packets and disrupt the availability of the device. Another flaw, CVE-2017-16715, is related to the handling of Ethernet frame padding and it could lead to information disclosure, while the last issue, CVE-2017-14028, can be leveraged to cause memory exhaustion by sending a large amount of TCP SYN packets.Moxa NPort devices vulnerable to remote attacks

Florian Adamsky, the researcher credited by ICS-CERT for finding the flaws, told SecurityWeek that the vulnerabilities were found as part of a bigger research project conducted by him and Dr. Thomas Engel of the University of Luxembourg’s SECAN-Lab.

The research focuses on industrial Serial-to-Ethernet converters, which are often used in critical infrastructure, including power plants, water treatment facilities, and chemical plants. Adamsky pointed out that in the 2015 attack on Ukraine’s power grid, which caused significant blackouts, the hackers targeted these types of devices in an effort to make them inoperable. A detailed research paper describing the vulnerabilities will be published at some point in the future.

The researcher said all of the Moxa device vulnerabilities can be exploited remotely over the Internet. A scan with the Censys search engine revealed more than 2,000 Moxa devices connected to the Web, including over 1,350 NPort systems affected by the discovered flaws.

Adamsky said the CVE-2017-16719 vulnerability exists due to the fact that the TCP Initial Sequence Number (ISN) from NPort 5110 and 5130 devices is predictable. This allows an attacker to create and inject malicious network packets into an established TCP connection by predicting the ISN.

According to the researcher, the ISN was based on uptime, which can be easily obtained via the Simple Network Management Protocol (SNMP). Exploitation of this vulnerability could, in certain circumstances, lead to arbitrary command execution, the expert said.

Advertisement. Scroll to continue reading.

Exploiting CVE-2017-16715 can allow an attacker to obtain previously sent network packets, which can include the session ID of an HTTP connection. This ID can be leveraged by an attacker to gain access to a device’s web interface.

“In CVE-2017-16715, we found out that these devices were using uninitialized memory as padding for network packets,” Adamsky explained. “According to RFC 894, the minimum Ethernet frame size is 46 bytes. If a packet is smaller than the minimum size, the IP packet ‘should be padded (with octet of zero) to meet the Ethernet minimum frame size’. Instead of octets of zeros, Moxa used uninitialized memory. This vulnerability was called Etherleak [2] in the past.”

The security holes were reported to Moxa via ICS-CERT in June and August, and they were patched by the vendor on November 14.

Related: Cisco Finds Many Flaws in Moxa Industrial APs

Related: Hardcoded Credentials Give Attackers Full Access to Moxa APs

Related: Eight Vulnerabilities Found in Moxa NPort Devices

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.