Major industrial networks, such as those in the oil and gas, transportation and maritime logistics sectors, may be vulnerable to network compromises due to recently discovered security flaws in Moxa industrial switches.
The vulnerabilities were discovered by Positive Technologies experts Ivan Boyko, Vyacheslav Moskvin and Sergey Fedonin, and impact Moxa’s industrial switches in the EDS-405A, EDS-408A, EDS-510A and IKS-G6824A family of products. Those switches, which are used by major industry, could expose those networks to serious attacks and potentially disrupt operations.
“A vulnerable switch can mean the compromise of the entire industrial network,” explained Paolo Emiliani, industry and SCADA research analyst at Positive Technologies. “If ICS components are parts of the body, you can think of network equipment as the arteries that connect them all. So disruption of network interactions could degrade or even stop ICS operations entirely.”
In Moxa series EDS-405A, EDS-408A and EDS-510A (firmware versions 3.8 and earlier), the Positive Technologies experts discovered five vulnerabilities, three of which are highly dangerous. For instance, an attacker could recover the password from a cookie intercepted over the network or by using cross-site scripting (XSS), extract sensitive information or brute-force credentials using the proprietary configuration protocol to obtain control over the switch and possibly the entire industrial network.
IKS-G6824A switches (firmware versions 4.5 and earlier) contained seven vulnerabilities. The most dangerous one involved a buffer overflow in the web interface that could be performed without logging in. Exploitation of the vulnerability causes denial of service and potentially remote code execution. In the hands of attackers, the other vulnerabilities could cause permanent denial of service on the switch, reading of device memory, ability to perform various actions as a legitimate user in the device web interface and more.
Moxa has published recommendations on ways owners of affected switches can reduce their risk. New firmware versions have been released to address vulnerabilities. Positive Technologies experts advise disabling all unneeded equipment features (such as the management web interface) immediately after setup. If features cannot be disabled, companies should take preventive action to detect malicious activity with the help of an ICS monitoring and incident reaction solution.