Flaws affecting Moxa’s MiiNePort embedded serial device servers can be exploited remotely to gain control of vulnerable systems. The vendor has released firmware updates to address the security holes.
ICS-CERT informed organizations last week that MiiNePort E1, E2 and E3 devices are affected by two vulnerabilities. One of them, tracked as CVE-2016-9344, can be exploited to brute-force an active session cookie and download a device’s configuration file.
The second weakness, tracked as CVE-2016-9346, refers to the fact that the configuration data is stored in a file without being encrypted.
SAVE THE DATE: ICS Cyber Security Conference | Singapore – April 25-27, 2017
Aditya K. Sood, the researcher who discovered the vulnerabilities, told SecurityWeek that the exposed configuration files contain sensitive information, including the administrator password, which could allow an attacker to gain unrestricted privileges and access to the device.
According to the researcher, CVE-2016-9344 allows an attacker to download the configuration file remotely from the Internet if the targeted user has an active session on the device.
“The Moxa device emits ‘Server: MoxaHttp/’ on TCP port 80 or any other web port. A simple web scanner with filtering of these headers can help detect systems on the web,” Sood explained.
While the researcher has not conducted any mass Internet scans, he did identify a few hundred externally-accessible devices using the Shodan search engine. Other vulnerable devices are likely not exposed to the Internet, requiring the attacker to have network access.
Moxa patched the vulnerabilities with the release of firmware versions 1.8 (MiiNePort E1), 1.4 (MiiNePort E2) and 1.1 (MiiNePort E3) nearly five months after learning of their existence.
Sood has released proof-of-concept (PoC) exploits and a video showing how the attack works:
Related: Moxa, Vanderbilt Surveillance Products Affected by Serious Flaws
Related: Eight Vulnerabilities Found in Moxa NPort Devices
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
Latest News
- Mandiant Catches Another North Korean Gov Hacker Group
- Microsoft Puts ChatGPT to Work on Automating Cybersecurity
- Video: How to Build Resilience Against Emerging Cyber Threats
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- SecurityScorecard Guarantees Accuracy of Its Security Ratings
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
