This week, two separate security alerts have revealed major holes in devices from Moxa, an industrial automation networking company. In one case, attackers could potentially send commands to a device’s operating system by using them as a username in a login attempt. In another, the private key for a Web server used to manage network devices could be retrieved through an HTTP GET request.
The first vulnerability, in Moxa’s AWK-3131A 802.11n industrial wireless networking gear—which can act as an access point, bridge, or client device—was revealed by Cisco Talos on April 3. Because of the way user authentication for multiple features works—leveraging the “loginutils” tool of the Busybox operating system—the usernames from failed login attempts are processed in such a way that they could be leveraged to inject command-line instructions by using punctuation to separate the command from the rest of the command-line output.
“Exploitation of this vulnerability has been confirmed via Telnet, SSH, and the local console port,” Patrick DeSantis and Dave McDaniel of Cisco Talos wrote in their report. “It is suspected that the web application may also be vulnerable as it relies on loginutils and examination of the iw_user binary reveals ‘fail’ messages for ‘WEB,’ ‘TELNET,’ and ‘SSH.'”
Cisco Talos revealed the vulnerability to Moxa in December of 2017. Update: Moxa issued patched firmware on April 3.
The second Moxa vulnerability, in Moxa’s MXview network-management software, was published today as an advisory from the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). MXview has an integrated Web server to allow remote access to network-management data. The vulnerability, which was discovered by Michael DePlante of the Leahy Center for Digital Investigation at Champlain College, allows an attacker to view the private key for the server. Another vulnerability in the same software, announced in January, allows attackers to leverage an “unquoted search path” from a Web browser to gain access to files or execute arbitrary code on the server.
Normally, these sorts of systems are supposed to be kept segmented from the Internet, and the DHS’ recommended mitigation for the both of these vulnerabilities is to “minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet,” as well as segmenting industrial control systems from the business network. Moxa has released a new version of MXview that patches these problems.