Full Report
Moxa has released updates that close serious flaws in NPort device firmware. Devices of this type were targeted in December 2015 attacks on Ukrainian power companies.
Analysis Summary
# Vulnerability: Critical Flaws in Moxa NPort Serial-to-Ethernet Device Firmware
## CVE Details
- **CVE ID:** CVE-2017-14028 (Stack-based Buffer Overflow), CVE-2017-12120 (Missing Authentication)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-121 (Stack-based Buffer Overflow), CWE-306 (Missing Authentication for Critical Function)
## Affected Systems
- **Products:** Moxa NPort 5110, NPort 5130, NPort 5150
- **Versions:** Firmware versions 2.6, 2.7, and 2.8
- **Configurations:** Devices with web management consoles enabled or those exposed to the network via default serial-to-ethernet configurations.
## Vulnerability Description
The primary flaw (CVE-2017-14028) is a **stack-based buffer overflow** within the firmware's handling of specific network packets. An unauthenticated attacker can send a specially crafted packet to the device, overwriting Memory and allowing for **Remote Code Execution (RCE)**.
Additionally, CVE-2017-12120 involves a **lack of authentication** for certain administrative functions, allowing remote attackers to modify device settings or trigger a Denial of Service (DoS) without providing credentials.
## Exploitation
- **Status:** Historically targeted (NPort devices were notably used in the December 2015 attacks on the Ukrainian power grid). PoC code for similar NPort vulnerabilities is publicly available.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to data passing through the serial port)
- **Integrity:** High (Ability to modify device configuration and firmware)
- **Availability:** High (Ability to crash the device or disrupt serial communication)
## Remediation
### Patches
Moxa has released firmware updates to address these vulnerabilities. Users are strongly advised to upgrade to the following versions:
- **NPort 5110:** Firmware Version 2.9 (or newer)
- **NPort 5130:** Firmware Version 2.9 (or newer)
- **NPort 5150:** Firmware Version 2.9 (or newer)
### Workarounds
- Disable the web management console if not required.
- Isolate NPort devices from the public internet using a firewall or VPN.
- Implement strict Access Control Lists (ACLs) to permit traffic only from authorized IP addresses.
## Detection
- **Indicators of Compromise:** Unusual device reboots, unauthorized changes to serial port configurations, or unexplained network traffic on port 80 (HTTP) or the configured data ports.
- **Detection methods and tools:**
- Use Industrial Control System (ICS) aware intrusion detection systems (IDS) to monitor for malformed packets targeting Moxa configuration ports.
- Conduct regular vulnerability scans using tools with updated ICS plugins (e.g., Nessus, Tenable.ot).
## References
- **Vendor Advisory:** hxxps[://]www[.]moxa[.]com/en/support/product-support/security-advisory
- **ICS-CERT Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2017/11/21/moxa-fixes-serious-vulnerabilities-in-nport-serial-network-interface-devices/
- **CISA Advisory (Related):** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-17-306-01