This morning the DHS ICS-CERT published two control system advisories for products from Moxa and iRZ. The Moxa advisory was previously published on the US-CERT Secure Portal. I also mention some additional vulnerability news.
This advisory describes five vulnerabilities in the Moxa ECR‑G903 secure routers. The vulnerabilities were reported by Maxim Rupp. Moxa had developed a new firmware version that mitigates the vulnerabilities. There is no indication that Rupp was provided the opportunity to verify the efficacy of the fix.
The five vulnerabilities include:
• Privilege escalation - CVE-2016-0875;
• Plaintext storage of password - CVE-2016-0876;
• Memory leak - CVE-2016-0877;
• Denial of service - CVE-2016-0878; and
• Unauthenticated file download - CVE-2016-0879
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to escalate privileges, initiate a denial-of-service condition, and execute arbitrary code.
This advisory describes a firmware overwrite vulnerability in the iRZ RUH2 serial-to-Ethernet interface. Apparently this is a self-reported vulnerability though ICS-CERT reports that an exploit is publicly available. iRZ no longer supports this device so no mitigation measures will be forth coming.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to upload new firmware to the device.
Other Vulnerability Notes
I had an interesting TWEET directed my way this morning by Brandon Workentin. He said: “Full Disclosure has email by Meteocontrol vuln reporter saying ICS-CERT advisory ‘not complete and accurate.’ Not on FD archive yet”. ICS-CERT published that vulnerability advisory last week.
When I looked on Full Disclosure to see if that report had been published yet (it hasn’t) I was surprised to find another Moxa vulnerability report from early this month that hasn’t been reported by ICS-CERT yet. This is unusual in that Karn Ganeshen, the apparent reporter, has done numerous coordinated disclosures, so there should be an interesting story here.
BTW: Karn was also the reporter on the Meteocontrol Advisory. I’ll be watching Full Disclosure for this reported email.