This afternoon the DHS ICS-CERT published an alert for five publicly reported vulnerabilities in the Moxa NPort 6110, 5100 series, and 6000 series devices. The vulnerabilities were publicly reported [link updated 21:54 EST, 2-18-17] by Digital Bond Labs (not named in the alert) after initial coordination with the vendor failed to respond to the vulnerabilities in a timely manner.
The ICS-CERT alert lists the five vulnerabilities as:
• Unauthenticated retrievable sensitive account information;
• Unauthenticated remote firmware update;
• Buffer overflow;
• Cross-site scripting;
• Cross-site request forgery
ICS-CERT reports that Moxa has acknowledged three of the five vulnerabilities and announces that Moxa will release a new firmware version in late-August 2016 for the NPort 5100 and 6000 series devices that will address those three vulnerabilities. The NPort 6110 is a discontinued device and no updates are planned.
The Digital Bond Labs write-up contains some very specific recommendations about mitigating the vulnerabilities.