Multiple security flaws found in Moxa-supplied critical infrastructure equipment

News by Jay Jay

Several security vulnerabilities, three critical, have been discovered by researchers in Moxa industrial switches which are used extensively to build industrial networks for various sectors including oil & gas,

Several security vulnerabilities, three of them critical, have been discovered by researchers in Moxa industrial switches which are used extensively to build industrial networks for oil and gas, transportation, maritime logistics, and numerous industrial sectors.

Moxa offers products for organisations in critical infrastructure sectors such as the rail industry, logistics, oil and gas, marine, power, and manufacturing. These include managed switches for industrial Ethernet infrastructure, smart switches for field-site monitoring and SCADA monitoring, managed switches for rail applications, PoE switches for fibre-optic Gigabit ports and Ethernet ports for rail and metro systems.

Recently, security experts at Positive Technologies identified several security vulnerabilities in Moxa's industrial switches in the EDS-405A, EDS-408A, EDS-510A, and IKS-G6824A series that could be exploited by attackers to carry out cross-site scripting attacks to recover passwords from cookies, extract sensitive information, or brute force credentials using the proprietary configuration protocol to obtain control over the switch and possibly the entire industrial network.

For instance, IKS-G6824A Series switches, which feature up to 24 optical fibre connections and 24 Gigabit Ethernet ports, were found containing seven security vulnerabilities, the most critical of which could be exploited by an attacker to carry out remote code execution, perform denial of service, and perform a buffer overflow in the web interface without logging in.

Other vulnerabilities in IKS-G6824A Series switches allowed attackers to carry out Cross-Site Request Forgery attacks by using web browsers already authenticated by users to target web applications, perform XSS attacks on users, send malformed OSPF Hello packets to a vulnerable device resulting in the device rebooting after two or three minutes, and read device memory on arbitrary addresses.

Similarly, security vulnerabilities in EDS-405A Series, EDS-408A Series, and EDS-510A Series industrial switches allowed attackers to execute arbitrary code from the web console, recover the administrator's password by exploiting lack of encryption and using proprietary controls that could not be disabled, carry out brute force attacks, and cause a denial of service via a specially crafted packet.

Organisations that have deployed EDS-405A, EDS-408A, EDS-510A, and IKS-G6824A series industrial switches offered by Moxa can refer to the manufacturer's website to address the security vulnerabilities. Solutions offered by Moxa include advising end users to set web configurations as "https only", update their products with the latest patches, disable the web console access (HTTP), and use only SNMP/Telnet/CLI consoles.

Commenting on a large number of security vulnerabilities found in Moxa's industrial switches, Ofer Maor, director of solutions management at Synopsys, told SC Magazine UK that the collection of vulnerabilities found in the Moxa switches is a clear indication that insufficient thought has been given to security in the development of these products.

"Looking at the list, some of these vulnerabilities are results of omissions of fairly rudimentary controls, which is another indication that not much effort has been put into the security of these systems.

"Unfortunately, this is not surprising. The historically secluded nature of critical infrastructure devices (ie they are on dedicated networks that were not connected to the internet) allowed them to "stay under the radar" as far as attack surfaces go, and allowed the vendors, or at least some of them, to keep ignoring security. For that reason, when researchers look into some of these systems, the findings represent what one would expect when looking into the security of a system for the first time," he said.

According to Maor, vendors of critical infrastructure devices and software must build secure development programmes, starting with secure architecture, through secure coding, training of developers, and implementing of rigorous automated and manual testing procedures for security, much like they do for quality.

"This maturity of securing software has already been adopted by other industries, like cloud vendors, financial services and online retailers, and will have to be adopted by anybody who is starting to connect to the world, whether it is critical infrastructure, automotive, consumer IoT, etc," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews