According to a new report by Applied Risk conducted by security researcher Alexandru Ariciu, “multiple vulnerabilities were found in MOXA E1242 Ethernet remote I/O series used in factory automation.” The vulnerabilities can trigger code injection in the web application, and in other cases concern weak password policies and implementation. Fortunately, there are no known public exploits that target these vulnerabilities, the researcher says.
How Severe Are the Vulnerabilities?
An attacker can exploit this by visiting the affected web pages and modifying the parameters that were found to be vulnerable to this attack. The changes to this parameter are permanent, thus any user visiting the infected web page after the attacker will be at risk.
Another problem concerns the passwords which are sent via the HTTP GET method. The md5 hash of the password employed for authentication on the device is sent as a parameter in each GET request to the server, which is believed to be a bad practice. Why? An attacker can deploy a MiTM attack and bypass the authentication mechanism.
The password that is used to authenticate users to the system is truncated to 8 characters. An user trying to use a longer password will have its password cut down to the first 8 characters. Also, the MD5 hash challenge that is created for authentication and is later used in all GET requests will be created using these first 8 characters.
The researcher adds that this behavior is accepted as insecure, as it does not provide sufficient protection to the passwords used by the user and also forces the user to use simple passwords that can be easily bypassed.
Fortunately, MOXA addressed the reported vulnerabilities by releasing a firmware update for the affected devices, available here.
Automation Industries Flaws Are Mostly Proof-of-Concept
In a conversation with SCMagazine, Mark James from ESET shared that a prevalent number of the flaws in the automation industry are proof of concept.
Automation often involves heavy equipment doing precision work and if it fails it could cause thousands of pounds of damage. If that equipment were to go wrong around or close to humans then there is always the potential of injury or even death.