Experts at Cisco’s Talos intelligence and research group alerted of 17 vulnerabilities in an industrial router from Moxa, including high severity command injection and denial-of-service (DoS) flaws.
The vulnerabilities have been found in Moxa EDR-810 – an integrated industrial multiport secure router that provides firewall, NAT, VPN and managed Layer 2 switch capabilities.
The vendor claims that this device was created for monitoring, controlling, and protecting critical assets like pumping and treatment systems in water stations, PLC and SCADA systems in factory automation applications, and DCS in oil and gas organizations.
Some of the issues that Cisco found have been described as high severity command injection vulnerabilities affecting the web server functionality of the Moxa router. The security holes allow hackers to escalate privileges and obtain a root shell on the system by sending specially crafted HTTP POST requests to the targeted device.
In addition, the industrial router is impacted by several high severity DoS flaws which can be exploited by sending specially crafted requests to the device.
The researchers found four medium severity issues related to the transmission of passwords in clear text, information disclosure involving the Server Agent functionality, and the use of weakly encrypted or clear text passwords. The technical details and proof-of-concept (PoC) code for each of the vulnerabilities have been revealed by Cisco.
The security flaws have been reproduced on Moxa EDR-810 v4.1 devices, and patched by the vendor with the release of version 4.2 on April 12. Considering the fact that these issues were reported to Moxa in November 2017, it means that the company needed apprximatelly 150 days to release the fix, which is the average patching time for SCADA systems.
In 2017, Talos published advisories describing over a dozen security holes uncovered in Moxa access points. While in 2016, the researcher Maxim Rupp found a number of severe flaws which could have been exploited for DoS attacks, arbitrary code execution, and privilege escalation.