Today the DHS NCCIC-ICS published a control system security
advisory for products from Moxa. The advisory
describes ten vulnerabilities in the Moxa IKS and EDS industrial switches. The
vulnerabilities were reported by Ivan B, Sergey Fedonin, and Vyacheslav Moskvin
of Positive Technologies Security. Moxa has a firmware patch that mitigates the
vulnerabilities. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.
The ten reported vulnerabilities are:
• Classic buffer overflow - CVE-2019-6557;
• Cross-site request forgery - CVE-2019-6561;
• Cross-site scripting - CVE-2019-6565;
• Improper access control - CVE-2019-6520;
• Improper restriction of excessive
authentication request - CVE-2019-6524;
• Missing encryption of sensitive
data - CVE-2019-6526;
• Out-of-bounds read - CVE-2019-6522;
• Unprotected storage of
credentials - CVE-2019-6518;
• Predictable from observable state
- CVE-2019-6563; and
• Uncontrolled resource consumption - CVE-2019-6559
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow the reading of sensitive
information, remote code execution, arbitrary configuration changes,
authentication bypass, sensitive data capture, reboot of the device, device
crash, or full compromise of the device.
Posts
No comments:
Post a Comment