Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Moxa NPort Device Flaws Can Expose Critical Infrastructure to Disruptive Attacks

Two potentially serious vulnerabilities that could allow threat actors to cause significant disruption have been found in a widely used industrial connectivity device made by Moxa.

The Taiwan-based industrial networking and automation solutions provider has addressed the flaws.

Two potentially serious vulnerabilities that could allow threat actors to cause significant disruption have been found in a widely used industrial connectivity device made by Moxa.

The Taiwan-based industrial networking and automation solutions provider has addressed the flaws.

Moxa NPort vulnerabilities The two security holes, tracked as CVE-2022-2043 and CVE-2022-2044 and rated ‘high severity’, affect Moxa’s NPort 5110 device servers, which are designed for connecting serial devices to Ethernet networks. The vulnerabilities can be exploited by a remote attacker to cause the targeted device to enter a denial of service (DoS) condition.

Moxa and the US Cybersecurity and Infrastructure Security Agency (CISA) have released advisories for the vulnerabilities. Moxa said only firmware version 2.10 is affected and instructed customers to contact its tech support department for assistance. CISA told impacted organizations to contact Moxa for a security patch.

Both Moxa and CISA have credited Jens Nielsen, a researcher at Denmark-based industrial cybersecurity company En Garde Security, for reporting the vulnerabilities.

In a blog post published this week, En Garde Security owner Mikael Vingaard said his company’s research department discovered the vulnerabilities in the first half of March 2022, when the vendor was provided proof-of-concept (PoC) scripts and videos showing exploitation.

Vingaard told SecurityWeek that while Moxa NPort devices should not be exposed to the internet, in reality many are accessible from the web. A Shodan search shows more than 5,000 devices and while there may be some honeypots, Vingaard said they can’t all be honeypots.

Moxa NPort exposed devices

He said exploitation of both vulnerabilities requires just a network connection to the targeted device. The exploits can be executed in ‘mere seconds’, and they can be automated and executed via the internet.

The impacted NPort devices are used worldwide, including in critical infrastructure sectors such as energy, critical manufacturing, and transportation systems. There have been reports that these types of devices were targeted for disruption in the 2015 attack on Ukraine’s power grid, which resulted in significant blackouts.

Advertisement. Scroll to continue reading.

Learn more about vulnerabilities in industrial systems at 

SecurityWeek’s 2022 ICS Cyber Security Conference 

Exploitation of the vulnerabilities discovered by En Garde researchers could lead to the disruption of critical services in these sectors, with Vingaard describing the vulnerable Moxa devices as “a small part of the important infrastructural services to our society.”

He explained that the first DoS vulnerability can allow an attacker to cause the targeted device to stop responding to legitimate commands.

“The only way to regain control of the device would be to have staff power off/power on the device, which would require a person to be physically present,” Vingaard said. “This may often pose a problem in remote locations, where it could take significant time to get personnel on site, and not ideal in a situation where time to regain control may matter.”

The second vulnerability, an out-of-bounds issue, can allow an attacker to access and/or overwrite elements on the device, causing a crash or corruption of data. This can make the system become inoperable, in some cases possibly resulting in a permanently damaged device, Vingaard said.

Related: Moxa MXview Vulnerabilities Expose Industrial Networks to Attacks

Related: Flaws in Moxa Railway Devices Could Allow Hackers to Cause Disruptions

Related: Vulnerabilities in Moxa Networking Device Expose Industrial Environments to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

SpecterOps has appointed Tim Bender as CFO, Pat Sheridan as CRO, and Bryce Hein as CMO.

CISA has officially announced the appointment of Madhu Gottumukkala as its new deputy director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.