Moxa created new firmware version to mitigate vulnerabilities in its ECR‑G903 secure routers, according to a report on ICS-CERT.
These vulnerabilities, discovered by independent researcher Maxim Rupp, are remotely exploitable.
EDR-G903 Versions V3.4.11 and older suffer from the issues.
Successful exploitation of these vulnerabilities may allow a remote attacker to escalate privileges, initiate a denial-of-service condition, and execute arbitrary code.
Moxa is a Taiwan-based company that maintains offices in several countries around the world, including the U.S., UK, India, Germany, France, China, Russia, and Brazil.
The affected product, Moxa EDR-G903 series, is an industrial virtual private network (VPN) server with firewall/NAT all-in-one secure router. It is for Ethernet security applications in sensitive remote control or monitoring networks.
These secure routers end up deployed across several sectors, including, commercial facilities, critical manufacturing, emergency services, and energy. Moxa said these products see use globally but end up concentrated mainly in the U.S., Europe, Chile, Argentina, Peru, Colombia, and Taiwan; 50 to 60 percent of all sales are in the U.S.
In terms of privilege escalation, by accessing a specific uniform resource locator (URL) on the web server, an attacker could gain access configuration and log files.
CVE-2016-0875 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, configuration files contain passwords in plaintext.
CVE-2016-0876 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
Also, ping function is available to every user, which may cause a memory leak in the affected device.
CVE-2016-0877 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In another vulnerability, by sending malicious requests in the form of a ping twice, the device independently produces “Cold start.”
CVE-2016-0878 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, after using the import function of configuration or log files they are not deleted from server side, and any attacker is able to download them “without authenticating” by accessing a specific URL.
CVE-2016-0879 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
Moxa has created firmware version v3.4.12, and it is available to users upon request.