Full Report
[Control Systems] Moxa security advisory (AV26-370)
Analysis Summary
# Vulnerability: Moxa Ethernet Switches NTP Denial of Service
## CVE Details
- **CVE ID:** CVE-2020-11868
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-20 (Improper Input Validation) / CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:** Moxa Industrial Ethernet Switches (PowerTrans Series)
- **Versions:**
- PT-508 Series: Version 3.8 and prior
- PT-510 Series: Version 3.8 and prior
- PT-7528 Series: Version 5.0 and prior
- PT-7728 Series: Version 3.9 and prior
- PT-7828 Series: Version 4.0 and prior
- PT-G503 Series: Version 5.3 and prior
- PT-G510 Series: Version 6.5 and prior
- **Configurations:** Systems with Network Time Protocol (NTP) enabled.
## Vulnerability Description
The vulnerability exists within the `ntpd` (NTP daemon) component used in the firmware of several Moxa internal ethernet switches. Specifically, the daemon allows for a Denial of Service (DoS) attack. If a remote attacker sends a specially crafted packet with a mode 7 (monlist) command or similar malformed request, the NTP daemon may crash or experience resource exhaustion, preventing time synchronization across the industrial network.
## Exploitation
- **Status:** Not reported as exploited in the wild; PoC available for the underlying NTP vulnerability.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Device service disruption/Loss of time synchronization)
## Remediation
### Patches
Moxa recommends upgrading to the following firmware versions or higher:
- **PT-508 Series:** v3.9
- **PT-510 Series:** v3.9
- **PT-7528 Series:** v5.1
- **PT-7728 Series:** v4.0
- **PT-7828 Series:** v4.1
- **PT-G503 Series:** v5.4
- **PT-G510 Series:** v6.6
### Workarounds
- **Disable NTP:** If time synchronization is not critical, disable the NTP service on the device.
- **Firewall Filtering:** Restrict access to UDP port 123 (NTP) to only trusted internal time servers.
- **Access Control Lists (ACLs):** Implement ACLs on the switch management interface to allow only authorized IP addresses to communicate with the device.
## Detection
- **Indicators of Compromise:** Unexpected crashing of the NTP service; inability of downstream devices to sync time; presence of anomalous UDP 123 traffic from external or unauthorized IPs.
- **Detection methods:** Vulnerability scanners (Nessus/OpenVAS) can identify outdated NTP versions; Network Intrusion Detection Systems (NIDS) can be configured to alert on NTP mode 7 requests.
## References
- **Moxa Advisory:** hxxps[://]www[.]moxa[.]com/en/support/product-support/security-advisory/mpsa-258681-cve-2020-11868-ntp-vulnerability-in-ethernet-switches
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alertes-avis/systemes-controle-bulletin-securite-moxa-av26-370
- **NVD CVE-2020-11868:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2020-11868