CVE-2017-14435, CVE-2017-14436, CVE-2017-14437
An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to “/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini” without a cookie header to trigger this vulnerability.
Moxa EDR-810 V4.1 build 17030317
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-476 - NULL Pointer Dereference
This device is marketed as a secure ICS (Industrial Control System) router. This device will likely be found in industrial environments such as power generation/distribution, water treatment, manufacturing, etc. This specific vulnerability causes the web server to crash.
A GET request to /MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini without a cookie header will cause the binary to crash. Authentication is not required for this vulnerability.
In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B544 LDR R0, [R11,#s1] ; s1 .text:0001B548 LDR R1, =aMoxa_cfg_ini_0 ; “/MOXA_CFG.ini” .text:0001B54C BL strcmp
In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B55C LDR R0, [R11,#s1] ; s1 .text:0001B560 LDR R1, =aMoxa_cfg2_ini ; “/MOXA_CFG2.ini” .text:0001B564 BL strcmp
In the following code snippet, R0 is nil if the cookie header is not set. .text:0001B574 LDR R0, [R11,#s1] ; s1 .text:0001B578 LDR R1, =aMoxa_log_ini_0 ; “/MOXA_LOG.ini” .text:0001B57C BL strcmp
curl -v 192.168.127.254/MOXA_LOG.ini OR curl -v 192.168.127.254/MOXA_CFG.ini OR curl -v 192.168.127.254/MOXA_CFG2.ini
2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release
Discovered by Carlos Pacho of Cisco Talos.