Industrial control kit hackable, warn researchers

Plus: Ethernet I/O device's web app 'fails to sanitise user input'

Worker welds at manufacturing plant. Phto by Shutterstock

Multiple vulnerabilities in MOXA ioLogik controllers placed industrial facilities at risk if they do not apply patches.

Applied Risk said it had found multiple vulnerabilities in the MOXA E1242 Ethernet remote I/O series, a widely used range of kit used in industrial facilities such as utilities and manufacturing plants. Code injection, weak password policies and lack of protection mechanisms allow hackers to execute arbitrary code within webpages and modify settings of vulnerable devices.

More specifically, the vulnerabilities allow authenticated users to inject JavaScript into web pages, thus allowing them to modify the settings and send bad instrumentation commands to a device. The MOXA E1242 web application fails to sanitise user input.

Alexandru Ariciu, ICS Security Researcher for Applied Risk, explained: “What was most worrying about this vulnerability is the MD5 hash of the password that is used for authentication is sent as a parameter in each GET request to the server. This is poor practice, as an attacker with a man-in-the-middle (MITM) position can easily circumvent this implementation and bypass the authentication mechanism.”

MOXA develops products for industrial networking, computing and automation. More than 30 million MOXA devices are deployed around the world by customers in 70 countries.

The industrial control kit firm reported to Applied Risk’s research with the release of firmware updates designed to plug the flaws last week.

El Reg invited MOXA to comment on Applied Risk’s research but we’re yet to hear back. We’ll update this story as and when we hear more. ®


Biting the hand that feeds IT © 1998–2017