Moxa NPort Device Vulnerabilities (Update B)

This alert update is a follow-up to the NCCIC/ICS-CERT updated alert titled ICS-ALERT-16-099-01A Moxa NPort Device Vulnerabilities that was published April 20, 2016, on the ICS-CERT web page. ICS-CERT is aware of a public report of vulnerabilities affecting multiple models of the Moxa NPort device. These vulnerabilities were reported by Reid Wightman of Digital Bonds Labs, who coordinated with the vendor but not with ICS-CERT.
table.gridtable {
font-family: verdana,arial,sans-serif;
font-size:11px;
color:#333333;
border-width: 1px;
border-color: #666666;
border-collapse: collapse;
}
table.gridtable th {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #dedede;
}
table.gridtable td {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #ffffff;
}

SUMMARY

This alert update is a follow-up to the NCCIC/ICS-CERT updated alert titled ICS-ALERT-16-099-01A Moxa NPort Device Vulnerabilities that was published April 20, 2016, on the ICS-CERT web page.

--------- Begin Update B Part 1 of 2 --------

ICS-CERT is aware of a public report of vulnerabilities affecting multiple models of the Moxa NPort device. These vulnerabilities were reported by Reid Wightman of Digital Bonds Labs, who coordinated with the vendor but not with ICS-CERT.

--------- End Update B Part 1 of 2 --------

ICS-CERT has notified Moxa of the report, and Moxa has validated all five of the reported vulnerabilities, which include 1) unauthenticated retrievable sensitive account information, 2) unauthenticated remote firmware updates, 3) buffer overflow allowing arbitrary remote code execution, 4) cross-site scripting, and 5) cross-site request forgery. Moxa has identified additional NPort models that are affected by the reported vulnerabilities.

ICS-CERT is issuing this updated alert to provide notice of the report and to identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

The report included details about the vulnerabilities:

Moxa has confirmed that the following NPort devices are affected by the reported vulnerabilities:

• Moxa NPort 5100 series,
• Moxa NPort 5200 series,
• Moxa NPort 5400 series,
• Moxa NPort 5600 series,
• Moxa NPort 5600-DT/DTL series,
• Moxa NPort 5100A series,
• Moxa NPort 5200A series,
• Moxa NPort P5150A series,
• Moxa NPort 5x50AI-M12 series,
• Moxa NPort 6000 series, and
• Moxa NPort 6110 series.

The publicly disclosed vulnerabilities in the Moxa NPort devices include unauthenticated retrievable sensitive account information, which may allow a remote attacker to gain administrator privileges on the affected systems. The firmware of the affected devices can be updated over the network without authenticating, which may allow a remote attacker to completely compromise the system. Exploitation of the buffer overflow vulnerability may allow an unauthenticated attacker to execute arbitrary code remotely. The cross-site scripting vulnerability may allow an authenticated party to insert malicious code into webpages allowing malicious code to be executed by a web browser. The cross-site request forgery vulnerability may allow an attacker to trick a user into executing unwanted actions on a web application to which the user has authenticated.

At this time, ICS-CERT is not aware of publicly available exploit code that exploits the identified vulnerabilities.

Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the US, UK, India, Germany, France, China, Russia, and Brazil.

FOLLOW-UP

ICS-CERT released the follow-up advisory titled ICSA-16-336-02 Moxa NPort Device Vulnerabilities on December 1, 2016, on the ICS-CERT web site.

MITIGATION

Moxa is planning to release a new firmware version in late-August 2016 that will address the five reported vulnerabilities in all the affected NPort devices, except for the NPort 6110. Moxa has reported that the NPort 6110 device was discontinued in December 2008 and will not have patches released to address these vulnerabilities.

Moxa recommends that customers using the NPort 6110 should upgrade the affected device.

--------- Begin Update B Part 2 of 2 --------

Moxa also recommends disabling Ports 80/TCP (HTTP), 443/TCP (HTTPS), 22/TCP (SSH), and 23/TCP (TELNET). Moxa indicates that users should ensure that Ports 161/UDP, 4800/UDP, and 4900/TCP are only accessible by trusted systems and that restricting access to Ports 4800/UDP and 4900/TCP will impact remote systems administration.

--------- End Update B Part 2 of 2 --------

ICS-CERT recommends that users should:

• Set up access control to affected devices to prevent any unauthorized access.
• Isolate affected systems from the InternetICS-CERT ALERT, http://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01, web site last accessed April 08, 2016. and all untrusted systems.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

ICS-CERT also provides a recommended practices section for control systems on the ICS-CERT web site (http://ics-cert.us-cert.gov). Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

• Moxa