Yesterday the DHS ICS-CERT published an advisory for the Moxa EDR-G903 Series Routers. The advisory identifies two communications vulnerabilities identified by Neil Smith in a coordinated disclosure. The vulnerabilities are a hardcoded user account and an insufficient entropy vulnerability.
According to ICS-CERT the first vulnerability is a minimal issue because the access provided is limited and does not allow changing of settings or traversing the network. The second is more of a problem because it could allow a relatively skilled attacker to gain remote access to the system and compromise data integrity and system availability.
Moxa has provided an update notice on their web site and an updated version that was tested by Smith, who verified that it corrected the vulnerabilities. Not noted in the ICS-CERT advisory: Moxa also included in this update support for using special characters in the login password, this could increase system security if properly utilized.
Other Moxa Vulnerabilities
A Tweet® by Patrick C Miller yesterday pointed me at an article about hard-coded credentials on control system applications. That post is by NJ Ouchn. Moxa had four separate listings in the article:
• Series Railway Remote I/O (ioLogik E12xx and E15xx) – two default passwords
• Cellular Micro RTU Controller (ioLogik W53xx) – two default passwords
• IA240/241 Embedded Computer – four default passwords
• ioPac 8020-C – four (I think, it’s not real clear in the article) default passwords
Since the article was published on Sunday, I would like to think that ICS-CERT will have an alert out for these vulnerabilities today or tomorrow. It is possible, of course, that these have already been addressed by ICS-CERT, but they don’t have a searchable database to check.
BTW: The article also lists hard-coded credential issues in Siemens, and westermo products.