Full Report
The result of exporting a device’s configuration contains the passwords of all users on the system and other sensitive data in the original form if “Pre-shared key” doesn’t set.
Analysis Summary
# Vulnerability: Plaintext Password Storage in Moxa NPort IA5000A Configuration Exports
## CVE Details
- **CVE ID:** CVE-2020-27150
- **CVSS Score:** 5.3 (Medium)
* *Note: While the article text mentions 0.0, the provided vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N and NVD records indicate a Medium severity based on High Confidentiality impact.*
- **CWE:** CWE-312 (Cleartext Storage of Sensitive Information) / CWE-319 (Cleartext Transmission of Sensitive Information)
## Affected Systems
- **Products:** Moxa NPort IA5000A Series Serial Device Servers
- **Versions:** All versions where the "Pre-shared key" is not utilized.
- **Specific Models:**
- IA5150A / IA5150A-T / IA5150A-IEX / IA5150A-T-IEX
- IA5150AI / IA5150AI-T / IA5150AI-IEX / IA5150AI-T-IEX
- IA5250A / IA5250A-T / IA5250A-IEX / IA5250A-T-IEX
- IA5250AI / IA5250AI-T / IA5250AI-IEX / IA5250AI-T-IEX
- IA5450A / IA5450A-T
- IA5450AI / IA5450AI-T
- **Configurations:** Devices where the "Pre-shared key" function is not set during the configuration export/import process.
## Vulnerability Description
When a user exports the configuration file of a Moxa NPort IA5000A device, the software stores all system user passwords and other sensitive data in plaintext (original form) within the file. If an administrator has not configured a "Pre-shared key" to encrypt the export, the sensitive data remains unprotected. If this file is intercepted during transmission or accessed by an unauthorized party, the credentials can be recovered easily.
## Exploitation
- **Status:** Unknown (No public PoC or active exploitation currently cited in the article).
- **Complexity:** High (Requires a Man-in-the-Middle (MitM) attack or access to exported configuration files).
- **Attack Vector:** Network (Access to TCP ports 80 or 4900 is required to intercept the traffic).
## Impact
- **Confidentiality:** High (Full access to all user passwords and system settings).
- **Integrity:** None (Directly from the flaw itself, though stolen credentials can lead to unauthorized changes later).
- **Availability:** None (Directly from the flaw itself).
## Remediation
### Patches
- No specific firmware patch is listed; remediation relies on the proper use of existing security features.
### Workarounds
- **Enable Pre-shared Key:** Always set a "Pre-shared key" when exporting or importing configuration files to ensure the content is encrypted.
- **Network Access Control:** Use a firewall to restrict access to ports 80/TCP, 443/TCP, and 4900/TCP to authorized IP addresses only.
- **Disable Unused Services:** Turn off any network services that are not required for operation.
- **Encryption:** Use a VPN for remote management to protect traffic from eavesdropping and MitM attacks.
## Detection
- **Indicators of Compromise:** Unusual configuration export activities or unauthorized logins following a configuration management session.
- **Detection Methods:**
- Implement a Network Intrusion Detection System (NIDS) to monitor for abnormal traffic on management ports.
- Audit configuration file storage locations for unencrypted `.ini` or configuration files containing plaintext credentials.
## References
- **Moxa Advisory:** hxxps[://]www[.]moxa[.]com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2020-27150
- **Kaspersky Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2021/05/11/klcert-20-019/