Rostelecom-Solar helped to close a number of dangerous vulnerabilities in industrial equipment Moxa

2019: Closing of a number of dangerous vulnerabilities in industrial equipment

On September 26, 2019 the Rostelecom-Solar company reported that her experts Ilya Karpov and Evgeny Druzhinin conducted a research of security of the industrial Ethernet-equipment of world vendor Moxa. During the research 31 vulnerability, including a number of critical was detected. The detected vulnerabilities were able to allow the malefactor to get access to control of the equipment and also accounts of users, configurations of network and other sensitive information. Data on vulnerabilities were sent to vendor which released the corresponding security updates.

Laboratory of cyber security of an APCS Rostelecom-Solar researches security of industry protocols, software and hardware-software solutions which are widely applied during creation and operation of technology segments of the Russian enterprises. This activity purchases a strategic importance for a number of the industries as recently the expressed trend to growth of number of cyber attacks to the industrial enterprises including relating to objects of KII is observed

The majority of the vulnerabilities detected by experts of "Laboratory of cyber security of an APCS" Rostelecom-Solar belong to implementation of web service of the equipment of MOXA. These vulnerabilities allow the malefactor to perform so-called attacks on failure in service and to temporarily put the equipment out of action (CWE-120, CWE-121, CWE-400, CWE-680, CWE-941) and also to get access to control of the equipment thanks to unsafe authentication mechanisms (CWE-200, CWE-352, CWE-521).

The large number of the detected potential cyberrisks were connected with the fact that sensitive information, including logins and passwords of users, was stored and transferred in open, i.e. not encrypted form (CWE-310, CWE-312, CWE-319).

Experts "Rostelecom-Solar" also announced unsafe cryptographic protocol implementation in a number of MOXA (CWE-327) Ethernet-devices. Non-persistent algorithms enciphering were able to allow the malefactor to obtain information on a configuration of network and to compromise all traffic. At the same time in some devices the private key of enciphering on which confidentiality of the ciphered data depends was written directly in the code software. In case of its compromise all traffic would be opened for the malefactor, at the same time change of a key would be impossible for the user (CWE-321). Besides, in the software code of some devices the password providing access to control of the equipment (CWE-321) that bears similar cyberrisks was written.

It should be noted that implementation of the attacks using these vulnerabilities requires network access to the equipment, i.e. the malefactor had to appear in network of a technology segment. Nevertheless, at a current status of interface and security of corporate and technology networks such attack is represented rather probable.

Experts of "Laboratory of cyber security of an APCS" Rostelecom-Solar immediately announced the found vulnerabilities to vendor and also transferred information in FSTEC Russia for the publication in "A databank of security risks of information" (BDU: 2019-03252 – BDU: 2019-03282). It provides the coordinated one-time disclosure of information for different CERT, SOC and third-party databases of vulnerabilities. For September, 2019 vulnerabilities are closed.