Full Report
By exploiting the vulnerability, a user with “Read Only” privilege level can send requests via the web console to have the device’s configuration changed. Scope Scope changed: the security of serial devices connected to NPort can be affected
Analysis Summary
# Vulnerability: Broken Access Control in Moxa NPort IA5000A Series Allowing Configuration Changes
## CVE Details
- CVE ID: CVE-2020-27149
- CVSS Score: 9.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) (High)
- CWE: CWE-284 (Improper Access Control) (Inferred from description "Broken access control")
## Affected Systems
- Products: Moxa NPort IA5150A Series, NPort IA5250A Series, NPort IA5450A Series (Specifically models: IA5150A-IEX, IA5150A-T-IEX, IA5150A-T, IA5150A, IA5150AI-IEX, IA5150AI-T-IE, IA5150AI-T, IA5150AI, IA5250A-IEX, IA5250A-T-IEX, IA5250A-T, IA5250A, IA5250AI-IEX, IA5250AI-T-IE, IA5250AI-T, IA5250AI, IA5450A-T, IA5450A, IA5450AI-T, IA5450AI)
- Versions: Pre-patch versions specified below.
- Configurations: Accessible via web console (ports 80/TCP or 443/TCP).
## Vulnerability Description
This is an Improper Access Control vulnerability in the Moxa NPort IA5000A series. A remote attacker who possesses an account with only "Read Only" privileges can successfully send requests through the web console that are typically reserved for users with "Read Write" privileges. This allows the attacker to modify the device's configuration, which can subsequently affect the security and operation of the serial devices connected to the NPort.
## Exploitation
- Status: Existence of exploit is **Unknown**. (Not explicitly stated as exploited in the wild)
- Complexity: **Low**. (Low skill level required to exploit, low attack complexity)
- Attack Vector: **Network**. (Remotely exploitable via network access to ports 80/TCP or 443/TCP)
## Impact
- Confidentiality: **High**. (Modification of configuration could expose sensitive data or control channels)
- Integrity: **High**. (Attacker can change configuration, leading to unauthorized modifications)
- Availability: **High**. (Configuration changes can disrupt device operation or connected serial device availability)
## Remediation
### Patches
- For NPort IA5150A/IA5250A Series: Upgrade to firmware version **1.5 or higher**.
- For NPort IA5450A Series: Upgrade to firmware version **2.0 or higher**.
(Firmware can be downloaded from the vendor website.)
### Workarounds
1. Disable all unused user accounts with "Read Only" privileges.
2. Configure a border firewall to restrict access to ports 80/TCP and 443/TCP to authorized parties only.
3. Disable all unused network services on the device to reduce the attack surface.
4. Implement a Virtual Private Network (VPN) to secure remote access.
5. Implement network segmentation and strict access control for the industrial network segment.
## Detection
- Indicators of Compromise: Look for web configuration modification requests originating from user accounts with known "Read Only" access levels.
- Detection methods and tools: Implement Network Intrusion Detection System (NIDS) capable of detecting unusual network connections or abnormal traffic patterns directed towards the device's web interface (ports 80/TCP, 443/TCP). Monitor user activity logs for unauthorized configuration changes recorded under 'Read Only' accounts.
## References
- Vendor advisory: hxxps://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities
- Kaspersky Advisory: KLCERT-20-018