Just a reminder: We're still bad at securing industrial controllers

Moxa boxes caught using plain text passwords and insecure web apps


Bug hunters have discovered yet another set of flaws in industrial control systems used by electric utilities, oil and gas companies, and shipping and transportation providers.

The Positive Technologies trio of Ivan Boyko, Vyacheslav Moskvin, and Sergey Fedonin were credited with sussing out and reporting a series of 12 different security vulnerabilities in controllers from Moxa.

The bugs range in severity and impact, though Positive Tech noted that even something as simple as a denial of service issue could have a profound impact when it comes to industrial control systems (ICS).

“A vulnerable switch can mean the compromise of the entire industrial network," Paolo Emiliani, Positive's analyst for Industry and SCADA research, said today.

"If ICS components are parts of the body, you can think of network equipment as the arteries that connect them all. So disruption of network interactions could degrade or even stop ICS operations entirely."

A number of the bugs were found in the web interface for the Moxa devices. In the EDS-405A, EDS-408A, and EDS-510A series controllers, the Positive researchers found web console passwords stored in plain text, predictable session IDs for web server cookies (those cookies could be used to recover administrator passwords), and unlimited authentication rules that allow for brute force attacks on the switches.

The switches were also found to be sending sensitive data via "proprietary protocols" that were not secure and would allow for man-in-the-middle or DDoS attacks should an attacker have network access.

Meanwhile, the IKS-G6824A series of backbone switches was subject to seven unique vulnerabilities of its own, including multiple cross-site-scripting bugs, buffer overflow errors, and cross-site request forgery errors. The box's web interface was also found to be improperly configured, allowing users who were set to read-only mode the ability to change configurations.

For most of the flaws, Moxa is recommending customers update their firmware to the latest version, though there are other steps that will need to be taken to close up all of the holes.

For the EDS-405A, EDS-408A, and EDS-510A, admins will need to set their web configuration to "HTTPS only" in order to close a predictable session ID problem. For the IKS-G6824A, admins are advised to disable HTTP access altogether and use SNMP/Telnet/CLI to manage the devices. ®

Similar topics


Other stories you might like

  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading
  • To multicloud, or not: Former PayPal head of engineering weighs in
    Not everyone needs it, but those who do need to consider 3 things, says Asim Razzaq

    The push is on to get every enterprise thinking they're missing out on the next big thing if they don't adopt a multicloud strategy.

    That shove in the multicloud direction appears to be working. More than 75 percent of businesses are now using multiple cloud providers, according to Gartner. That includes some big companies, like Boeing, which recently chose to spread its bets across AWS, Google Cloud and Azure as it continues to eliminate old legacy systems. 

    There are plenty of reasons to choose to go with multiple cloud providers, but Asim Razzaq, CEO and founder at cloud cost management company Yotascale, told The Register that choosing whether or not to invest in a multicloud architecture all comes down to three things: How many different compute needs a business has, budget, and the need for redundancy. 

    Continue reading

Biting the hand that feeds IT © 1998–2022