Just a reminder: We're still bad at securing industrial controllers
Moxa boxes caught using plain text passwords and insecure web apps
Bug hunters have discovered yet another set of flaws in industrial control systems used by electric utilities, oil and gas companies, and shipping and transportation providers.
The Positive Technologies trio of Ivan Boyko, Vyacheslav Moskvin, and Sergey Fedonin were credited with sussing out and reporting a series of 12 different security vulnerabilities in controllers from Moxa.
The bugs range in severity and impact, though Positive Tech noted that even something as simple as a denial of service issue could have a profound impact when it comes to industrial control systems (ICS).
“A vulnerable switch can mean the compromise of the entire industrial network," Paolo Emiliani, Positive's analyst for Industry and SCADA research, said today.
"If ICS components are parts of the body, you can think of network equipment as the arteries that connect them all. So disruption of network interactions could degrade or even stop ICS operations entirely."
A number of the bugs were found in the web interface for the Moxa devices. In the EDS-405A, EDS-408A, and EDS-510A series controllers, the Positive researchers found web console passwords stored in plain text, predictable session IDs for web server cookies (those cookies could be used to recover administrator passwords), and unlimited authentication rules that allow for brute force attacks on the switches.
The switches were also found to be sending sensitive data via "proprietary protocols" that were not secure and would allow for man-in-the-middle or DDoS attacks should an attacker have network access.
Meanwhile, the IKS-G6824A series of backbone switches was subject to seven unique vulnerabilities of its own, including multiple cross-site-scripting bugs, buffer overflow errors, and cross-site request forgery errors. The box's web interface was also found to be improperly configured, allowing users who were set to read-only mode the ability to change configurations.
For most of the flaws, Moxa is recommending customers update their firmware to the latest version, though there are other steps that will need to be taken to close up all of the holes.
For the EDS-405A, EDS-408A, and EDS-510A, admins will need to set their web configuration to "HTTPS only" in order to close a predictable session ID problem. For the IKS-G6824A, admins are advised to disable HTTP access altogether and use SNMP/Telnet/CLI to manage the devices. ®