This afternoon the DHS ICS-CERT published an alert for five publicly reported vulnerabilities in the Moxa NPort 6110, 5100 series, and 6000 series devices. The vulnerabilities were publicly reported by Digital Bond Labs (not named in the alert) after initial coordination with the vendor failed to respond to the vulnerabilities in a timely manner.
The ICS-CERT alert lists the five vulnerabilities as:
• Unauthenticated retrievable sensitive account information;
• Unauthenticated remote firmware update;
• Buffer overflow;
• Cross-site scripting;
• Cross-site request forgery
ICS-CERT reports that Moxa has acknowledged three of the five vulnerabilities and announces that Moxa will release a new firmware version in late-August 2016 for the NPort 5100 and 6000 series devices that will address those three vulnerabilities. The NPort 6110 is a discontinued device and no updates are planned.
The Digital Bond Labs write-up contains some very specific recommendations about mitigating the vulnerabilities.