Tuesday, May 3, 2016

[ICS] Moxa MiiNePort - Multiple Vulnerabilities

[ICS] Moxa MiiNePort - Multiple Vulnerabilities

Multiple vulnerabilities are present in Moxa MiiNePort. Following versions have been verified, but it is highly probable all other versions are affected as well.

About

Moxa provides a full spectrum of quality products for industrial networking, computing, and automation, and maintains a distribution and service network that reaches customers in more than 70 countries. Our products have connected over 30 million devices worldwide in a wide range of applications, including factory automation, smart rail, smart grid, intelligent transportation, oil & gas, marine, and mining. By continually improving staff expertise in a variety of technologies and markets, we aim to be the first choice for industrial automation solutions.

Moxa's embedded serial-to-Ethernet device server modules are small, consume less power, and integration is easy.
The embedded serial-to-Ethernet device servers modules consist of the MiiNePort serial device server series and the NE device server module series. 

Moxa’s MiiNePort E3 series embedded device servers are designed for manufacturers who want to add sophisticated network connectivity to their serial devices with minimal integration effort. The MiiNePort E3 is empowered by the MiiNe, Moxa’s second generation SoC, which supports 10/100 Mbps Ethernet, up to 921.6 kbps serial baudrate, a versatile selection of ready-to-use operation modes, and requires only a small amount of power. By using Moxa’s innovative NetEZ technology, the MiiNePort E3 can be used to convert any device with a standard serial interface to an Ethernet enabled device in no time. In addition, the MiiNePort E3 is a compact embedded device server with an RJ45 connector, making it easy to fit into virtually any existing serial device.

http://www.moxa.com/product/MiiNePort_E1.htm
http://www.moxa.com/product/MiiNePort_E2.htm
http://www.moxa.com/product/MiiNePort_E3.htm

Confirmed Device Models + Firmware versions

Device name MiiNePort_E1_7080
Firmware version 1.1.10 Build 09120714

Device name MiiNePort_E1_4641
Firmware version 1.1.10 Build 09120714

Device name MiiNePort_E2_1242
Firmware version 1.1 Build 10080614

Device name         : MiiNePort_E2_4561
Firmware version    : 1.1 Build 10080614

Model name MiiNePort E3
Firmware version 1.0 Build 11071409

Vulnerability Summary
1. Weak Credentials Management - CVE-2016-2286
2. Sensitive information not protected - CVE-2016-2295
3. Vulnerable to Cross-Site Request Forgery - CVE-2016-2285

Vulnerability Description

1. Weak Credentials Management
By default, no password is set on the device / application. This allows anyone to access the device over HTTP and Telnet. Access to the device provides full administrative functionality.

> The device / application should have a mandatory password change mechanism in place, forcing users to a) set the password on first login, b) ensure the password meets complexity requirements, and c) change password periodically.


2. Sensitive information not protected
Information such as Connect passwords, SNMP community strings is not protected and shown in clear-text when viewing and / or downloaded device config (HTTP / Telnet).

> The application should mask/censure/encrypt any sensitive information such as passwords, keys, strings, etc, both at the management portal forms as well as in the device configuration files. Additionally, secure transport must be used by default (TLS).


3. Vulnerable to Cross-Site Request Forgery
There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability allows silent execution of unauthorized actions on the device such as password change, configuration parameter changes, saving modified configuration, & device reboot. 

-> Related Controls



+++++

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.