After trying to work with Moxa for over 8 months, Labs decided that it was time to reveal some information (and most importantly, some mitigation advice) about NPort serial converter issues.
Labs published an advisory last week concerning Moxa NPort 5000 and 6000 series embedded converter products. The security issues in these devices should not surprise any long-time readers of the blog, folks familiar with INL’s Boreas Vulnerability, or any number of research projects detailing security vulnerabilities in industrial field device equipment. Little consideration is put into device security.
Notably, Labs has received several reports that Moxa serial devices were targeted in an attack in 2015. More reliable information concerning specific devices is available in a DHS report labeled TLP: Green.
Moxa devices are fairly typical for this class of control system component. Many of the big vendors in the serial converter space design their own management protocols for these devices. While the protocols differ in implementation, the functionality is often similar: configuration changes, configuration backups, and firmware upgrades are often performed via these custom protocols.
Lacking security scrutiny, the protocols often allow for authentication bypass, and contain protocol parsing issues. To further compound the problem, the devices and protocols are so specialized that almost nobody looks very deeply at the parsers, let alone produce IDS signatures for attack patterns. End users are stuck applying compensating controls for these vulnerabilities, which have been well-known to, and solved by security-aware vendors in the IT world for 15+ years.
The Moxa devices are kind of interesting here, because the MCU inside use a 80186-based core (16-bit Intel). There are buffer overflows throughout the various protocol parsers that can be exploited for arbitrary code execution. Coupled with a fairly well-understood CPU architecture, the wall is low for developing a meaningful rootkit for the device which may trigger undesired operations.
Other typical issues with such mass-produced embedded products include web application vulnerabilities.
A trend in ICS Security has been building. Once an even limited amount of information has been released to the public, tools start to pop up. In this case, two tools were released within days of Labs’ advisory.
The first is an Nmap scanner module by Chinese research group PLCSec, as well as an internet sweep of connected devices. Shodan has also already incorporated the scanner module into its search database, and shows ~5000 devices directly connected to the Internet.
With the cautious good news of PLCs incorporating more security in their design, a growing area of concern will be support equipment on industrial networks.
Industrial switches, radio bridges, cellular gateways, and other backbone equipment, have all received increased attention in the last three years. While the barrier to entry for analyzing all of this infrastructure equipment is high, the flip-side of this is that most of the equipment has never been negatively tested. The result is going to be a lot of low-hanging fruit for researchers to find, for years to come.
Image credit: Ron Fabela