Applied Risk, a company that specializes in protecting industrial control systems (ICS), published an advisory this week describing several vulnerabilities found in one of Moxa’s factory automation products.
The security firm’s researchers have identified various types of flaws in the web interface of Moxa’s ioLogik Ethernet I/O products, which are used in oil and gas, manufacturing, nuclear, and water plants.
The most serious of the vulnerabilities are related to password management. Experts discovered that an MD5 hash of the password used for authentication is sent to the server in a GET request. Since the information is transmitted over HTTP instead of HTTPS, a man-in-the-middle (MitM) attacker can easily obtain and crack the password.
Another problem is that the system automatically truncates passwords to 8 characters, which are also used to generate the MD5 hash included in the GET request. Experts have often warned that limiting the length of passwords is a poor security practice.
Researchers also discovered that the administration interface lacks cross-site request forgery (CSRF) protection, allowing an attacker to modify parameters and settings, restart the device, or restore it to factory settings.
Applied Risk also reported finding a persistent cross-site scripting (XSS) flaw that can be used to execute arbitrary code in the context of the web browser when the affected page is accessed.
Alexandru Ariciu, ICS security researcher at Applied Risk, told SecurityWeek that these vulnerabilities allow an attacker to take complete control of the affected device.
“The discovered vulnerabilities can be exploited remotely, but there are some prerequisites to be met. Being in the same network as the devices would make exploitation trivial but it’s not much harder to exploit the vulnerabilities remotely,” Ariciu explained. “It depends on the type of access the attacker has – normally the entry point in a network is not the device that sits in the field.”
Applied Risk confirmed the vulnerabilities on an ioLogik E1242 device running version 2.3 of the firmware. The issues were reported to Moxa on May 26 and they were addressed in ioLogik E1242 on September 30 with the release of firmware version 2.5. The vendor said it added XSS and CSRF protection, it switched from GET to POST for transmitting the password, and increased the password length from 8 to 16 characters.
ICS-CERT has yet to release an advisory describing these vulnerabilities. In the past months, the organization disclosed security holes affecting several Moxa products, including serial device servers, cellular IP gateways and surveillance systems.