Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Just a reminder: We're still bad at securing industrial controllers

Moxa boxes caught using plain text passwords and insecure web apps

Bug hunters have discovered yet another set of flaws in industrial control systems used by electric utilities, oil and gas companies, and shipping and transportation providers.

The Positive Technologies trio of Ivan Boyko, Vyacheslav Moskvin, and Sergey Fedonin were credited with sussing out and reporting a series of 12 different security vulnerabilities in controllers from Moxa.

The bugs range in severity and impact, though Positive Tech noted that even something as simple as a denial of service issue could have a profound impact when it comes to industrial control systems (ICS).

“A vulnerable switch can mean the compromise of the entire industrial network," Paolo Emiliani, Positive's analyst for Industry and SCADA research, said today.

"If ICS components are parts of the body, you can think of network equipment as the arteries that connect them all. So disruption of network interactions could degrade or even stop ICS operations entirely."

A number of the bugs were found in the web interface for the Moxa devices. In the EDS-405A, EDS-408A, and EDS-510A series controllers, the Positive researchers found web console passwords stored in plain text, predictable session IDs for web server cookies (those cookies could be used to recover administrator passwords), and unlimited authentication rules that allow for brute force attacks on the switches.

The switches were also found to be sending sensitive data via "proprietary protocols" that were not secure and would allow for man-in-the-middle or DDoS attacks should an attacker have network access.

Meanwhile, the IKS-G6824A series of backbone switches was subject to seven unique vulnerabilities of its own, including multiple cross-site-scripting bugs, buffer overflow errors, and cross-site request forgery errors. The box's web interface was also found to be improperly configured, allowing users who were set to read-only mode the ability to change configurations.

For most of the flaws, Moxa is recommending customers update their firmware to the latest version, though there are other steps that will need to be taken to close up all of the holes.

For the EDS-405A, EDS-408A, and EDS-510A, admins will need to set their web configuration to "HTTPS only" in order to close a predictable session ID problem. For the IKS-G6824A, admins are advised to disable HTTP access altogether and use SNMP/Telnet/CLI to manage the devices. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like