Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
|Researcher||Alexander Nochvay, Kaspersky ICS CERT|
|Description||The result of exporting a device’s configuration contains the passwords of all users on the system and other sensitive data in the original form if “Pre-shared key” doesn’t set.|
|Impact||An attacker can extract authentication credentials from a configuration file sent over an insecure communication channel. The data extracted can subsequently be used to authenticate with the NPort services and change the device’s configuration.|
|CVSS v3 Base Score:||5.3|
|Exploitability||Remotely exploitable: network access to port 80/TCP or 4900/TCP is required|
|Difficulty||High skill level to exploit: an attacker must perform Man-in-the-Middle attack|
|Privilege required||No privileges required|
|User interaction||User interaction required: user must export/import configuration of the NPort device without set a “Pre-shared key”|
|Existence of exploit||Unknown|
|Affected products||NPort IA5150A-IEX
Moxa products support a pre-shared key function to encode the configuration file to mitigate this risk. Please refer to the Export/Import section in the user manual for more details.
Enable “Pre-shared key” function to encrypt a content of transmitted configuration file.
Set up a border firewall (or a similar network traffic control solution) passing traffic into the device’s network segment to allow traffic to ports 80/TCP, 443/TCP and 4900/TCP from authorized parties only.
Disable all unused network services.
Firewall. Configure the firewall to restrict access to the industrial network in such a way that only essential communications from authorized sources are allowed. This will help reduce the attack surface. Make sure that the firewall restrictions do not affect core business workflows.
VPN. Use virtual private networks (VPN) to secure remote access to the industrial network. A VPN encrypts network traffic between VPN clients and the VPN server, as well as providing secure authorized access to local resources on the company’s internal network. Traffic encryption protects against traffic eavesdropping attacks, including man-in-the-middle (MitM) and other types of traffic analysis attacks.
Network monitoring. Implement a network intrusion detection solution (NIDS). A comprehensive IDS solution is capable of detecting unusual network connections and abnormal traffic sent to the device, providing timely information about various suspicious activities and sufficiently reducing the attacker’s chances of successful exploitation.
Network segmentation. Compartmentalize your network: implement network segmentation and strict access control for each segment to provide more comprehensive and effective protection against a wide range of threats. Proper network segmentation prevents attackers from reaching critical assets in the event of a network breach
|Timeline||14.08.2020 – Vulnerability reported
24.08.2020 – Moxa confirmed the vulnerability
28.04.2021 – Moxa published the advisory