A vulnerability that can be leveraged for arbitrary code execution has been found in a tool used for integrating industrial IP surveillance solutions developed by Moxa, a Taiwan-based company that specializes in industrial networking, computing, and automation solutions.
According to ICS-CERT, independent researcher Ariele Caltabiano identified a stack-based buffer overflow vulnerability in Moxa VPort SDK Plus, a free tool that enables third party developers to create customized video management systems and integrate VPort series products with comprehensive monitoring and control systems, such as SCADA and HMI.
The flaw, which affects Moxa VPort ActiveX SDK Plus versions prior to 2.8, can be exploited by a remote attacker to execute arbitrary code with the privileges of the vulnerable VPort application.
The vulnerability impacts MxNVR-MO4 series industrial network video recorders; VPort 26A-1MP series dome cameras; VPort 351, 354, 451, 461, and 364A industrial video encoders; and VPort 36-1MP, 56-2MP, P16-1MP-M12, and P06-1MP-M12 rugged IP cameras.
“A function in ActiveX has a Stack-Based Buffer Overflow vulnerability. Successful exploitation of this vulnerability may allow insertion of lines of assembly code such as a call to another tool,” ICS-CERT wrote in its advisory.
The vulnerability, reported by Caltabiano through HP’s Zero Day Initiative (ZDI), has been assigned the CVE identifier CVE-2015-0986 and a CVSS score of 7.5 (high severity).
ICS-CERT says there is no evidence that public exploits specifically targeting this vulnerability exist. However, the organization has pointed out that even an attacker with low skill can develop an exploit.
Moxa released VPort ActiveX SDK Plus 2.8 Build 15030913 in March to address the vulnerability. The company noted in the changelog that this release fixes a “potential security issue that is caused by buffer overflow when doing regkey set or get.”
Organizations are advised by ICS-CERT to update their installations and minimize exposure of critical systems.