Exploitation of vulnerabilities in Moxa industrial switches could disrupt communication between ICS components

Positive Technologies experts Ivan Boyko, Vyacheslav Moskvin, and Sergey Fedonin have discovered multiple vulnerabilities in Moxa industrial switches in the EDS-405A, EDS-408A, EDS-510A, and IKS-G6824A series. These switches are used to build industrial networks for oil and gas, transportation, maritime logistics, and numerous industrial sectors.

“A vulnerable switch can mean the compromise of the entire industrial network. If ICS components are parts of the body, you can think of network equipment as the arteries that connect them all. So disruption of network interactions could degrade or even stop ICS operations entirely,” Paolo Emiliani, Industry and SCADA Research Analyst at Positive Technologies explained.

What devices are affected

In Moxa series EDS-405A, EDS-408A, and EDS-510A (firmware versions 3.8 and earlier), the Positive Technologies experts discovered five vulnerabilities, three of which are highly dangerous. For instance, an attacker could recover the password from a cookie intercepted over the network or by using Cross-Site Scripting (XSS), extract sensitive information, or brute-force credentials using the proprietary configuration protocol to obtain control over the switch and possibly the entire industrial network.

IKS-G6824A switches (firmware versions 4.5 and earlier) contained seven vulnerabilities. The most dangerous one involved a buffer overflow in the web interface that could be performed without logging in. Exploitation of the vulnerability causes denial of service and potentially remote code execution.

In the hands of attackers, the other vulnerabilities could cause a permanent denial of service on the switch, reading of device memory, ability to perform various actions as a legitimate user in the device web interface, and more.

How owners of these devices can reduce risk

Moxa has published recommendations for how owners of affected switches can reduce their risk. New firmware versions have been released to address vulnerabilities.

Positive Technologies experts advise disabling all unneeded equipment features (such as the management web interface) immediately after setup. If features cannot be disabled, companies should take preventive action to detect malicious activity with the help of an ICS monitoring and incident reaction solution such as PT Industrial Security Incident Manager (PT ISIM).