Yesterday afternoon the DHS ICS-CERT updated the Moxa Alert that was originally released on April 8th. ICS-CERT reports changes in three areas of the Alert, the summary section, the list of affected equipment and the mitigation section. As was true with the original release, there is some controversy associated with this revision of the alert.
Changes in Summary
First the update removes a general description of the uses of the affected equipment from the Summary. Then it removes the statement that: “The researcher released the report after initially coordinating with the vendor.” Finally, it provides updated information from Moxa confirming all five of the vulnerabilities reported by Digital Bond LABS instead of the just 3 of 5 confirmed in the original Alert. The Alert still does not list DBLABS as the source of the public report of the vulnerabilities.
The removal of the initial coordination statement appears to be a political move by ICS-CERT to minimize the issue that Moxa still does not plan on issuing a fix to the problems until ‘late August 2016’. The revised language makes it look like Moxa was blindsided by the April 5th report and are diligently working on a firmware update. They may be working on an update now, but the DBLABS report provides a timeline showing that Moxa was notified of the vulnerabilities on July 24th, 2015.
Changes in Products Affected List
The revised Alert reformats and expands the list of affected Moxa NPort devices affected by the five vulnerabilities. It also indicates that Moxa acknowledges the defect in the new list of affected devices. The DBLABS report suggested that more devices than they originally reported were probably affected by the vulnerabilities, acknowledging that the ones listed in the report were the only ones that they had tested.
Interestingly, some of the devices tested by DBLABS do not appear on the revised list of affected devices. These include Moxa NPort 6150/6250/6450/6610/6650, firmware release 1.13. Also interesting to note is that DBLABS was careful to list the firmware versions of the devices they tested and there are no version numbers on the revised list in this update. This indicates that the problem is nearly universal across the NPort product line.
Changes in Mitigation
The third section of changes to the Alert actually over laps mitigation section heading and includes the last two paragraphs from the summary section. Changes were made in those two paragraphs as well. First the new version eliminates the list of affected port numbers provided by DBLABS. Second it removes the description of the uses of the affected NPort devices. That description had stated that:
“The Moxa NPort 6110 device is a Modbus/TCP to serial communication gateway that integrates Ethernet and serial Modbus devices. The Moxa NPort 5100 series and 6000 series devices are serial to Ethernet converters that can be used to connect serial devices to an Ethernet network.”
The changes in the mitigation section of the Alert deal mainly with the fact that Moxa now acknowledges all five of the reported vulnerabilities and reports that the expected August update will mitigate all five. Moxa continues to report that it will not be updating the firmware for the NPort 6110 since that was discontinued in 2008.
Finally, ICS-CERT removed the statement that: “Password protecting the configuration file for the NPort 5100 and 6000 series devices has been reported by the vendor to prevent the upload of unauthorized binary files to the device.” It has been replaced with the more generic and even less helpful (but more truthful): “Set up access control to affected devices to prevent any unauthorized access.”
While it appears that this update was a political response to satisfy the sensibilities of Moxa, or maybe minimize the concerns of the owners of the NPort devices, it did nothing to sooth the outrage of the investigators who had attempted to ‘properly’ coordinate their disclosure of these very serious vulnerabilities with the vendor.
Last night there was an interesting exchange of TWEETS® between Reid Wightman (@ReverseICS) the author of the original DLABS report and Dale Peterson (@digitalbond) the owner of Digital Bond. Now admittedly, Dale and Reid are very vocal (and persuasive) complainers about insecure by design ICS devices (which might legitimately include the noted overwrite firmware vulnerability), but insecure passwords, buffer overflow, cross-site scripting and cross-site request forgery vulnerabilities are just plain, old-fashioned, sloppy programming problems. And taking over a year to correct that crappy programming is just unforgiveable.
I am more than a little concerned that the ICS-CERT alert continues to ignore two very important points made in the DBLAB report. First the fact that Moxa serial converter devices were targets in the December cyberattacks on the Ukraine grid and that they were bricked by over-writing the firmware. Second that DBLABS has shared at least one report of a live exploit of an NPort device with Moxa.
Finally, the mitigation measures mentioned in the Alert are totally inadequate to provide any sort of protection of these devices in the field. And that is totally inexcusable since the DLABS report provides detailed mitigation measures based upon the vulnerable ports (again those port designations were removed from the alert). If the list of the vulnerable ports had not been removed from the Alert, ICS-CERT might have been forgiven for not quoting the DLAB mitigation suggestions, but they did and I’m not.
I have been a champion in this blog of the vulnerability coordination activities of ICS-CERT, even suggesting that they be made responsible for coordination activities for NHTSA, the FAA, and the FDA. With blatant industry pandering like this alert update, I think that I am going to have to re-think that position.