11 May 2021

KLCERT-20-020: Moxa NPort IA5000A Series. Using the Telnet service

Vendor

Moxa

Researcher

Alexander Nochvay, Kaspersky ICS CERT

Timeline

Timeline

  • Kaspersky ICS CERT advisory published

    11 May 2021

  • Moxa published the advisory

    28 April 2021

  • Moxa confirmed the vulnerability

    24 August 2020

  • Vulnerability reported

    14 August 2020

Description

The NPort devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.

Exploitability

Remotely exploitable: network access to port 23/TCP is required

Attack complexity

High skill level to exploit: an attacker must perform Man-in-the-Middle attack

Privilege required

No privileges required

User interaction

User interaction required: it requires to communicate over Telnet by user

Impact

An attacker could read all data transferred between the client and the device if the communication is carried out over the Telnet protocol, including authentication credentials, device configuration data, other sensitive data, version of the device, etc.

Existence of exploit

Unknown

Affected products

NPort IA5150A-IEX
NPort IA5150A-T-IEX
NPort IA5150A-T
NPort IA5150A
NPort IA5150AI-IEX
NPort IA5150AI-T-IE
NPort IA5150AI-T
NPort IA5150AI
NPort IA5250A-IEX
NPort IA5250A-T-IEX
NPort IA5250A-T
NPort IA5250A
NPort IA5250AI-IEX
NPort IA5250AI-T-IE
NPort IA5250AI-T
NPort IA5250AI
NPort IA5450A-T
NPort IA5450A
NPort IA5450AI-T
NPort IA5450AI

Mitigation

Vendor mitigation

Moxa products can disable the Telnet service to mitigate this risk. Please refer to the Console Settings section in the user manual for more details. Firmware version 1.5 or higher will disable Telnet by default on the NPort IA5150A/IA5250A Series. Firmware version 2.0 or higher will disable Telnet by default on the NPort IA5450A Series.

Link to Moxa’s advisory: https://www.moxa.com/en/support/product-support/security-advisory/nport-ia5000a-serial-device-servers-vulnerabilities

KL mitigation

Set up a border firewall (or a similar network traffic control solution) passing traffic into the device’s network segment to allow traffic to port 23/TCP from authorized parties only.

Disable Telnet service on NPort device if it is possible in your environments

Firewall. Configure the firewall to restrict access to the industrial network in such a way that only essential communications from authorized sources are allowed. This will help reduce the attack surface. Make sure that the firewall restrictions do not affect core business workflows.

VPN. Use virtual private networks (VPN) to secure remote access to the industrial network. A VPN encrypts network traffic between VPN clients and the VPN server, as well as providing secure authorized access to local resources on the company’s internal network. Traffic encryption protects against traffic eavesdropping attacks, including man-in-the-middle (MitM) and other types of traffic analysis attacks.

Network monitoring. Implement a network intrusion detection solution (NIDS). A comprehensive IDS solution is capable of detecting unusual network connections and abnormal traffic sent to the device, providing timely information about various suspicious activities and sufficiently reducing the attacker’s chances of successful exploitation.

Network segmentation. Compartmentalize your network: implement network segmentation and strict access control for each segment to provide more comprehensive and effective protection against a wide range of threats. Proper network segmentation prevents attackers from reaching critical assets in the event of a network breach

Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.

Timeline

  • Kaspersky ICS CERT advisory published

    11 May 2021

  • Moxa published the advisory

    28 April 2021

  • Moxa confirmed the vulnerability

    24 August 2020

  • Vulnerability reported

    14 August 2020