Home / Advisories / KLCERT advisories / KLCERT-20-018: Moxa NPort IA5000A Series. Broken access control

KLCERT-20-018: Moxa NPort IA5000A Series. Broken access control

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

KL-IDS KLCERT-20-018
CVE-IDS CVE-2020-27149
Publication date 2021.05.11
Researcher Alexander Nochvay, Kaspersky ICS CERT
Description By exploiting the vulnerability, a user with “Read Only” privilege level can send requests via the web console to have the device’s configuration changed.
Impact A remote attacker that has an account with “Read Only” privileges is able to execute requests, that should only be available to users with “Read Write” privileges.
Severity
CVSS v3 Base Score: 9.9
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Exploitability Remotely exploitable: network access to port 80/TCP or 443/TCP is required
Difficulty Low skill level to exploit
Privilege required Low privilege level required: an account with “Read Only” privileges is required
User interaction None
Scope Scope changed: the security of serial devices connected to NPort can be affected
Existence of exploit Unknown
Affected products
Affected products NPort IA5150A-IEX
NPort IA5150A-T-IEX
NPort IA5150A-T
NPort IA5150A
NPort IA5150AI-IEX
NPort IA5150AI-T-IE
NPort IA5150AI-T
NPort IA5150AI
NPort IA5250A-IEX
NPort IA5250A-T-IEX
NPort IA5250A-T
NPort IA5250A
NPort IA5250AI-IEX
NPort IA5250AI-T-IE
NPort IA5250AI-T
NPort IA5250AI
NPort IA5450A-T
NPort IA5450A
NPort IA5450AI-T
NPort IA5450AI
Mitigation
Vendor mitigation
  • For NPort IA5150A/IA5250A Series, please upgrade to firmware version 1.5 or higher
  • For NPort IA5450A Series, please upgrade to firmware version 2.0 or higher

You can download new firmware from here.

Link to Moxa’s advisory: https://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities

KL mitigation

Disable all unused user accounts with “Read Only” privileges

Set up a border firewall (or a similar network traffic control solution) passing traffic into the device’s network segment to allow traffic to ports 80/TCP, 443/TCP from authorized parties only.

Disable all unused network services

Firewall. Configure the firewall to restrict access to the industrial network in such a way that only essential communications from authorized sources are allowed. This will help reduce the attack surface. Make sure that the firewall restrictions do not affect core business workflows.

VPN. Use virtual private networks (VPN) to secure remote access to the industrial network. A VPN encrypts network traffic between VPN clients and the VPN server, as well as providing secure authorized access to local resources on the company’s internal network. Traffic encryption protects against traffic eavesdropping attacks, including man-in-the-middle (MitM) and other types of traffic analysis attacks.

Network monitoring. Implement a network intrusion detection solution (NIDS). A comprehensive IDS solution is capable of detecting unusual network connections and abnormal traffic sent to the device, providing timely information about various suspicious activities and sufficiently reducing the attacker’s chances of successful exploitation.

Network segmentation. Compartmentalize your network: implement network segmentation and strict access control for each segment to provide more comprehensive and effective protection against a wide range of threats. Proper network segmentation prevents attackers from reaching critical assets in the event of a network breach

Timeline 14.08.2020 – Vulnerability reported
24.08.2020 – Moxa confirmed the vulnerability
28.04.2021 – Moxa published the advisory