Security Experts:

Connect with us

Hi, what are you looking for?



Moxa NPort Devices Vulnerable to Remote Attacks

Hundreds of Moxa Devices Similar to Ones Targeted in Ukraine Power Grid Hack Vulnerable to Remote Attacks

Hundreds of Moxa Devices Similar to Ones Targeted in Ukraine Power Grid Hack Vulnerable to Remote Attacks

Firmware updates released by Moxa for some of its NPort serial device servers patch several high severity vulnerabilities that can be exploited remotely. These types of devices were targeted in the 2015 attack on Ukraine’s energy sector.

According to an advisory published by ICS-CERT, the flaws affect NPort 5110 versions 2.2, 2.4, 2.6 and 2.7, NPort 5130 version 3.7 and prior, and NPort 5150 version 3.7 and prior. The security holes have been patched with the release of version 2.9 for NPort 5110 and version 3.8 for NPort 5130 and 5150.

ICS-CERT said one of the vulnerabilities, CVE-2017-16719, allows an attacker to inject packets and disrupt the availability of the device. Another flaw, CVE-2017-16715, is related to the handling of Ethernet frame padding and it could lead to information disclosure, while the last issue, CVE-2017-14028, can be leveraged to cause memory exhaustion by sending a large amount of TCP SYN packets.Moxa NPort devices vulnerable to remote attacks

Florian Adamsky, the researcher credited by ICS-CERT for finding the flaws, told SecurityWeek that the vulnerabilities were found as part of a bigger research project conducted by him and Dr. Thomas Engel of the University of Luxembourg’s SECAN-Lab.

The research focuses on industrial Serial-to-Ethernet converters, which are often used in critical infrastructure, including power plants, water treatment facilities, and chemical plants. Adamsky pointed out that in the 2015 attack on Ukraine’s power grid, which caused significant blackouts, the hackers targeted these types of devices in an effort to make them inoperable. A detailed research paper describing the vulnerabilities will be published at some point in the future.

The researcher said all of the Moxa device vulnerabilities can be exploited remotely over the Internet. A scan with the Censys search engine revealed more than 2,000 Moxa devices connected to the Web, including over 1,350 NPort systems affected by the discovered flaws.

Adamsky said the CVE-2017-16719 vulnerability exists due to the fact that the TCP Initial Sequence Number (ISN) from NPort 5110 and 5130 devices is predictable. This allows an attacker to create and inject malicious network packets into an established TCP connection by predicting the ISN.

According to the researcher, the ISN was based on uptime, which can be easily obtained via the Simple Network Management Protocol (SNMP). Exploitation of this vulnerability could, in certain circumstances, lead to arbitrary command execution, the expert said.

Exploiting CVE-2017-16715 can allow an attacker to obtain previously sent network packets, which can include the session ID of an HTTP connection. This ID can be leveraged by an attacker to gain access to a device’s web interface.

“In CVE-2017-16715, we found out that these devices were using uninitialized memory as padding for network packets,” Adamsky explained. “According to RFC 894, the minimum Ethernet frame size is 46 bytes. If a packet is smaller than the minimum size, the IP packet ‘should be padded (with octet of zero) to meet the Ethernet minimum frame size’. Instead of octets of zeros, Moxa used uninitialized memory. This vulnerability was called Etherleak [2] in the past.”

The security holes were reported to Moxa via ICS-CERT in June and August, and they were patched by the vendor on November 14.

Related: Cisco Finds Many Flaws in Moxa Industrial APs

Related: Hardcoded Credentials Give Attackers Full Access to Moxa APs

Related: Eight Vulnerabilities Found in Moxa NPort Devices

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.