Moxa Devices Prone to Vulnerabilities Affecting RailwaysFlaws Fixed, Mitigations Issued for Discontinued Devices
SEC Consult, a cybersecurity consultancy firm that is part of Atos, has reportedly found multiple vulnerabilities in several Moxa devices used in various critical infrastructures including railways, manufacturing, cellular and other heavy industries. Moxa has confirmed patching 60 vulnerabilities in its latest firmware update and has issued mitigation advice for affected but discontinued devices.
Moxa network devices are prone to vulnerabilities affecting manufacturing companies, (critical) infrastructure and heavy industry https://t.co/6eZRRcD5sn (CVE-2015-0235) @MoxaInc @IoTInspector #infosec #IndustrialAutomation #IIoT pic.twitter.com/YPOn4ugYtV— SEC Consult (@sec_consult) September 1, 2021
According to SEC Consult, “Multiple devices developed by MOXA Inc. are prone to different vulnerabilities, like authenticated command injection [CVE-2021-39279] and a reflected cross-site scripting in the config-upload [CVE-2021-39278].”
The CVE-2021-39279 vulnerability is triggered by sending a GET request to the "/forms/web_importTFTP" CGI program, which is available on the web interface. “An attacker can abuse this vulnerability to compromise the operating system of the device,” the researchers say.
Thomas Weber, senior security researcher at SEC Consult, tells Information Security Media Group: “The command injection vulnerability can be considered as one of the most critical issues in this entire set of vulnerabilities. To exploit the command injection vulnerability, an attacker needs to have access to the device's web interface and of course user credentials.”
Considering that some devices are even exposed to the public, according to an IOT search engine Shodan search that Weber conducted, “This [exploitation] is feasible and just a matter of time,” he says.
CVE-2021-39278 is a reflected cross-site scripting vulnerability that can be exploited using a crafted config-file, which is uploaded via the "Config Import Export" tab in the main menu, the researchers say.
According to Weber: “Both of the newly discovered vulnerabilities [CVE-2021-39279 and CVE-2021-39278] were present in the web interface and have the potential to let attackers take over the device permanently. The command injection in the web interface can just be exploited by an authenticated attacker that has gained credentials for the web interface [or can access if the default credentials are not changed].”
The XSS in combination with the command injection may pose a risk and enable building an exploit chain to create a one-click exploit that can be used to target authenticated users. But, Weber adds, “This was not tested during our security research."
Another critical flaw originating from the "old" vulnerabilities is the hard-coded user account uncovered by Cisco Talos in 2016 and tracked as CVE-2016-8717. Weber says, however, that the hash itself seems to have changed.
Furthermore, a gethostbyname buffer overflow vulnerability, known as GHOST, in the outdated GNU C Library version 2.9, known as glibc, was successfully tested with a public exploit and tracked as CVE-2015-0235. This glibc v2.9 is affected by multiple other CVEs, including , CVE-2015-7547, CVE-2013-7423, CVE-2013-1914, and more. Moxa’s security advisory provides the complete list.
SEC Consult’s IoT inspector found multiple outdated software components with known vulnerabilities. They include:
- BusyBox - v1.18.5 - 06/2011
- Dropbear SSH - v2011.54 - 11/2011
- GNU glibc - v2.9 - 02/2009
- Linux Kernel - v2.6.27 - 10/2008
- OpenSSL - v0.9.7g - only found in the program "iw_director" and v1.0.0
Weber confirmed to ISMG that most of the 60 vulnerabilities discovered originated from these outdated vulnerable software components.
The researchers say all of these vulnerability findings have been verified by emulating the vulnerable devices on Medusa scalable firmware runtime.
Moxa issued two separate security advisories - one for TAP and WAC and one for OnCell and WDR products for these vulnerabilities. The combined list of all affected devices, however, includes 12 device models and the following device series:
- TAP-323 Series: A trackside wireless unit designed for train-to-ground wireless communication.
- WAC-1001 Series: Wireless access controller that provides roaming experience for Moxa’s access points in distributed wireless networks.
- OnCell G3470A-LTE Series: An Ethernet IP gateway with LTE band support that is used in cellular applications.
- WAC-2004 Series: A now discontinued Wireless Access Controller that incorporates with the AWK-RTG (Rail Train to Ground) series and was designed specifically for Railway applications.
- WDR-3124A Series: A now phased out industrial wireless device router used in a wireless or cellular setting.
According to Moxa, the following patches must be applied to fix issues in the respective devices:
- WAC-1001 - v2.1.5
- WAC-1001-T - v2.1.5
- OnCell G3470A-LTE-EU - v1.7.4
- OnCell G3470A-LTE-EU-T - v1.7.4
- TAP-323-EU-CT-T - v1.8.1
- TAP-323-US-CT-T - v1.8.1
- TAP-323-JP-CT-T - v1.8.1
As the WAC-2004 and WDR-3124A Series devices have reached the end of life, Moxa has only provided mitigation steps in its security advisories.
Moxa’s security advisories coincide with several other tech and network-attached storage device companies that use the OpenSSL cryptography library toolkit reportedly releasing their own security advisories following the patching of two critical vulnerabilities in the toolkit (see: Vendors Issue Security Advisories for OpenSSL Flaws).