This week John Page (HYP3RLINX) published three control system security vulnerability reports on the Full Disclosure mailing list; all three reports include proof of concept exploit code. All three of the vulnerabilities were for products from Moxa; two for Moxa MXView (here and here) and one for MX-AOPC UA SERVER (here). Page reports that these were coordinated disclosures and that Moxa has updated firmware to mitigate all three vulnerabilities.
The two reported vulnerabilities are:
• Remote private key disclosure - CVE-2017-7455; and
• Denial of service - CVE-2017-7456
MX-AOPC UA SERVER
The sole reported vulnerability for this product is an XML external entity injection (CVE-2017-7457) vulnerability.