Two Moxa Zerodays

While adding new equipment to our ICS Range (an interactive online training platform for industrial security) our security research department found two new zero-day vulnerabilities for the MOXA Ethernet-to-serial converter Nport 51xx in the current, newest firmware version.

Both of the found zero-days vulnerabilities, could potentially affect production severely - the same Moxa model/series has previous been (ab)used malicious in the Ukraine 2015 power grid attack.

Background:

We wanted to include MOXA devices in our training environment, as this devices are known to be used worldwide, in many different industries.

Information on both vulnerabilities have been provided to the vendor as responsible disclosure, with POC scripts and video showing the vulnerabilities. During the ongoing dialogue, the vendor has tested the provided information, acknowledged the findings and the vendor are current validating that the new firmware has resolved the found vulnerabilities.

The vulnerabilities is as following:

DOS: CVE-2022-2043 – CVSS Severity: High

The affected product is vulnerable to an out-of-bounds write that can cause the device to become unresponsive. A CVSS v3 base score of 7.5 has been assigned The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

OOB: CVE-2022-2044 – CVSS Severity: High

Successful exploitation of these vulnerabilities could allow an attacker to change memory values and/or cause the device to become unresponsive. A CVSS v3 base score of 8.2 has been assigned The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

NB: Model 51xx with (at that time) latest firmware version (2.10) have been found vulnerable – other MOXA Ethernet-to-serial converter Nport models/series and firmware versions could potential be affected as well.

Timeline:

2022-03-07 - Responsible disclosure report added (ref: VU#596171) - send to Vendor (MOXA) 2022-03-09 - MOXA acknowledgment of report and forwarding the documents to Moxa's PSIRT 2022-03-14 - 2th vulnerability are added to the responsible disclosure report, with details. Vendor acknowledgment next day 2022-03-17 - Vendor indicated release date of new firmware would be June 8 2022-06-06 - CISA ask for draft of vendor advisory 2022-06-06 - Vendor ask for details to be added in the acknowledgment section 2022-06-10 - Vendor advisory published https://www.moxa.com/en/support/product-support/security-advisory/nport5110-series-vulnerabilities 2022-06-14 - CISA draft initial advisory 2022-06-23 - Further on-going dialogue on vulnerabilities and associated CVSS scoring. 2022-07-05 - CVSS scoring agreement reached 2022-07-26 - Advisory published https://www.cisa.gov/uscert/ics/advisories/icsa-22-207-04

MITIGATIONS

MOXA recommends contacting MOXA Technical Support for the security patch.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from business networks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics.
Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Next Post