This morning the DHS ICS-CERT published an update for the Moxa OnCell advisory that was originally published a week ago. The update adds a new vulnerability, cross-site scripting, to the previously reported to vulnerabilities.
Readers might remember that I added a note to my post on the original advisory. I quoted a TWEET® from Maxim Rupp, the researcher who originally reported the vulnerabilities. He complained that the advisory did not include all of the affected devices from Moxa. Interestingly, he did not claim that all of the vulnerabilities were not being reported. So the question is, did Maxim report this additional vulnerability or was it self-reported by Moxa?
The fact that there have been no changes in the fixes to the OnCell software kind of argues that the that Moxa had known about the problem when they wrote the firmware update. It would be really unusual for the firmware update to have fixed a cross-site scripting problem if it was not known about.
Experts compete to find Ukraine grid hack 'smoking gun'
11 months ago