This week we have one vendor disclosure from Moxa.
Moxa Advisory
Moxa published an
advisory describing a stack-based buffer overflow vulnerability in the Moxa
EDR-810 Series Secure Routers. The vulnerability was reported by Guillaume
Lopes of Randorisec. Moxa has a new firmware version that mitigates the vulnerability.
There is no indication that Lopez has been provided an opportunity to verify
the efficacy of the fix.
Commentary
This advisory was available on the Moxa
CSRT web page when the NCCIC-ICS Moxa advisory for the same product
(different vulnerabilities) was
published earlier this week. It affects the same product versions and looks
like it was mitigated with the same firmware update, and the vulnerabilities
were reported by the same organization/researcher. Should the three
vulnerabilities have been covered in a single advisory? Probably, but it is
hard to tell from the outside.
The interesting thing here is that Moxa now has a CSRT web
page where they publish their advisories. They have four advisories that were published
on September 25th that would have made it onto last week’s blog post
if I had known the CSRT web site existed last week.
It is nice to see an industrial IOT vendor moving forward
into the responsible security realm. Let’s hope that this is the start of a
trend.
Posts
No comments:
Post a Comment