An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds.
Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1
5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
An exploitable Nonce Resume vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds. The value of a sessions token is the result of MD5(password+webNonce). With a fixed nonce, attacks against the session token to determine valid credentials are greatly simplified as the attacker now only needs to crack MD5(password).
The nonce reuse is also the basis for the way sessions are implemented: because the nonce keeps getting reused as long as the web application hasn’t been idle, the session remains valid. This introduces another problem: when logging out, the cookie containing the session token is cleared, but the session does not become invalid until the timeout has occured. This allows attackers who have been able to gain access to a session token to use it to log in even if the user has explicitly logged out. They can also keep this session token valid permanently by ensuring that the web application never goes idle, which prevents the nonce from changing.
The below script will grab a nonce once every 250 seconds, just under the 300 second time-out period. This will prevent the nonce from changing.
nonce = urllib2.urlopen("http://<Device IP>/webNonce?time=").read()
To significantly mitigate risk of exploitation, disable the web application before the device is deployed.
2016-11-14 - Vendor Disclosure
2017-04-10 - Public Release
Discovered by Patrick DeSantis of Cisco Talos.