A slew of serious vulnerabilities in the Moxa EDR-810 series of industrial secure routers could be exploited to inject OS commands, intercept weakly encrypted or extract clear text passwords, expose sensitive information, trigger a crash, and more.
Moxa EDR-810 series flaws
The existence of the flaws has been revealed when the Cisco Talos team published a post detailing them on Friday. The good news is that they’ve all been fixed, and Moxa is urging users to implement the firmware update with the fixes as soon as possible.
“One of the pillars of ICS security, as well as the security of traditional IT networks, is restricting access to network activity. This may include unidirectional gateways, a demilitarized zone (DMZ) network architecture with firewalls and separate authentication mechanisms and credentials for users of corporate and ICS networks. ICS devices, including firewalls that secure networks, run software which can contain vulnerabilities and serve as a pathway that may allow attackers to take advantage and intrude into an ICS network environment,” the researchers explained.
“Moxa EDR-810 is one of the devices specialized in providing firewalls specifically designed to function within ICS infrastructure and provide network security to ICS processes.”
Given that the vulnerabilities were discovered by Cisco Talos researcher Carlos Pacho and responsibly disclosed to Moxa, the likelihood that attackers have unearthed any of them independently and have been exploiting them is small.
Nevertheless, now that their existence has been made public, potential attackers will know where to look. So Cisco has also pointed out several Snort rules defenders can implement to detect attempts to exploit these vulnerabilities, as there are many reasons why some organizations may delay implementing the provided update.
Good to know
Earlier this month, the Cisco Talos also shared information about a command injection flaw in the Moxa AWK-3131A industrial wireless access point/bridge/client appliances, which could be exploited by an attacker to achieve remote, unauthenticated, root-level operating system command execution.
The information was released a week after Moxa pushed out a firmware update that fixes the flaw.