ICS Ethernet Switches Littered with Flaws
Kacy Zurkus | March 11, 2019
Security researchers discovered multiple vulnerabilities in Moxa industrial switches, according to Positive Technologies and Moxa. Moxa published a security advisory stating that it had issued resolutions for the vulnerabilities in the EDS-405A, EDS-408A, EDS-510A, and IKS-G6824A series ethernet switches that are used to build industrial networks across several sectors including oil and gas, transportation, and maritime logistics. “A vulnerable switch can mean the compromise of the entire industrial network. If ICS components are parts of the body, you can think of network equipment as the arteries that connect them all. So disruption of network interactions could degrade or even stop ICS operations entirely,” said Paolo Emiliani, industry and SCADA research analyst at Positive Technologies, in a press release. Three of the vulnerabilities were identified as highly dangerous, according to the press release. Security experts Ivan Boyko, Vyacheslav Moskvin and Sergey Fedonin said, “The flaws could allow an attacker to recover passwords from a cookie intercepted over the network or by using XSS, extract sensitive information, or brute force credentials using the proprietary configuration protocol to obtain control over the switch and possibly the entire industrial network.” Five of the vulnerabilities are specific to the EDS-405A series, EDS-408A series and EDS-510A series. Though an authenticated user could execute arbitrary code by exploiting any of the vulnerabilities, one of the identified vulnerabilities is "missing encryption of sensitive data," which would allow an attacker access from the unlock function, according to the advisory. In the IKS-G6824A series, researchers discovered plain text storage of passwords that could allow an attacker to reboot the device. In addition, an improper web interface access control could “results in read-only users being able to alter configurations.” As a fix, Moxa said, “We suggest that users disable the web console access (HTTP) and use other consoles, such as SNMP/Telnet/CLI, to eliminate this potential vulnerability.” Customer can also request new firmware patches for several of the listed vulnerabilities.