Yesterday the DHS ICS-CERT published an advisory for
the Moxa EDR-G903 Series Routers. The advisory identifies two communications
vulnerabilities identified by Neil Smith in a coordinated disclosure. The vulnerabilities
are a hardcoded user account and an insufficient entropy vulnerability.
The Advisory
According to ICS-CERT the first vulnerability is a minimal
issue because the access provided is limited and does not allow changing of
settings or traversing the network. The second is more of a problem because it
could allow a relatively skilled attacker to gain remote access to the system
and compromise data integrity and system availability.
Moxa has provided an update
notice on their web site and an updated version that was tested by Smith,
who verified that it corrected the vulnerabilities. Not noted in the ICS-CERT
advisory: Moxa also included in this update support for using special
characters in the login password, this could increase system security if
properly utilized.
Other Moxa
Vulnerabilities
A Tweet® by
Patrick C Miller yesterday pointed me at an
article about hard-coded credentials on control system applications. That
post is by NJ Ouchn. Moxa had four separate listings in the article:
• Series Railway Remote I/O
(ioLogik E12xx and E15xx) – two default passwords
• Cellular Micro RTU Controller
(ioLogik W53xx) – two default passwords
• IA240/241 Embedded Computer –
four default passwords
• ioPac 8020-C – four (I think, it’s
not real clear in the article) default passwords
Since the article was published on Sunday, I would like to think
that ICS-CERT will have an alert out for these vulnerabilities today or
tomorrow. It is possible, of course, that these have already been addressed by
ICS-CERT, but they don’t have a searchable database to check.
BTW: The article also lists hard-coded credential issues in
Siemens, and westermo products.
No comments:
Post a Comment