Hundreds of Moxa Devices Similar to Ones Targeted in Ukraine Power Grid Hack Vulnerable to Remote Attacks
Firmware updates released by Moxa for some of its NPort serial device servers patch several high severity vulnerabilities that can be exploited remotely. These types of devices were targeted in the 2015 attack on Ukraine’s energy sector.
According to an advisory published by ICS-CERT, the flaws affect NPort 5110 versions 2.2, 2.4, 2.6 and 2.7, NPort 5130 version 3.7 and prior, and NPort 5150 version 3.7 and prior. The security holes have been patched with the release of version 2.9 for NPort 5110 and version 3.8 for NPort 5130 and 5150.
ICS-CERT said one of the vulnerabilities, CVE-2017-16719, allows an attacker to inject packets and disrupt the availability of the device. Another flaw, CVE-2017-16715, is related to the handling of Ethernet frame padding and it could lead to information disclosure, while the last issue, CVE-2017-14028, can be leveraged to cause memory exhaustion by sending a large amount of TCP SYN packets.
Florian Adamsky, the researcher credited by ICS-CERT for finding the flaws, told SecurityWeek that the vulnerabilities were found as part of a bigger research project conducted by him and Dr. Thomas Engel of the University of Luxembourg’s SECAN-Lab.
The research focuses on industrial Serial-to-Ethernet converters, which are often used in critical infrastructure, including power plants, water treatment facilities, and chemical plants. Adamsky pointed out that in the 2015 attack on Ukraine’s power grid, which caused significant blackouts, the hackers targeted these types of devices in an effort to make them inoperable. A detailed research paper describing the vulnerabilities will be published at some point in the future.
The researcher said all of the Moxa device vulnerabilities can be exploited remotely over the Internet. A scan with the Censys search engine revealed more than 2,000 Moxa devices connected to the Web, including over 1,350 NPort systems affected by the discovered flaws.
Adamsky said the CVE-2017-16719 vulnerability exists due to the fact that the TCP Initial Sequence Number (ISN) from NPort 5110 and 5130 devices is predictable. This allows an attacker to create and inject malicious network packets into an established TCP connection by predicting the ISN.
According to the researcher, the ISN was based on uptime, which can be easily obtained via the Simple Network Management Protocol (SNMP). Exploitation of this vulnerability could, in certain circumstances, lead to arbitrary command execution, the expert said.
Exploiting CVE-2017-16715 can allow an attacker to obtain previously sent network packets, which can include the session ID of an HTTP connection. This ID can be leveraged by an attacker to gain access to a device’s web interface.
“In CVE-2017-16715, we found out that these devices were using uninitialized memory as padding for network packets,” Adamsky explained. “According to RFC 894, the minimum Ethernet frame size is 46 bytes. If a packet is smaller than the minimum size, the IP packet ‘should be padded (with octet of zero) to meet the Ethernet minimum frame size’. Instead of octets of zeros, Moxa used uninitialized memory. This vulnerability was called Etherleak [2] in the past.”
The security holes were reported to Moxa via ICS-CERT in June and August, and they were patched by the vendor on November 14.
Related: Cisco Finds Many Flaws in Moxa Industrial APs
Related: Hardcoded Credentials Give Attackers Full Access to Moxa APs