[Technical Blog] CVE-2020-12117 & Industrial IoT Insecure Default Configurations
A New Vulnerability is Detected
As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.
CVE-2020-12117 is an unauthenticated information disclosure vulnerability in Moxa devices that has been discovered by SCADAfence’s very own researcher Maayan Fishelov.
Moxa is one of the world’s leading industrial networking vendors, and is in use by many of our customers. We have been working with Moxa for the last few months in handling this vulnerability, and yesterday, Moxa published an official security advisory reporting this vulnerability and mitigations.
Moxa Service is a legacy, first-time installation utility that is enabled by default on many Moxa products (including new products). Moxa Service is used by the Moxa DSU (Device Search Utility) to fetch configuration details about Moxa products over the network. These configuration details normally require a user to pass authentication.
Whenever the Moxa Service is running, attackers can get the same details unauthenticated. Upon a successful installation, the user can go to the configuration and disable the feature manually. However, many users aren’t aware of that, leaving their devices exposed. This is a matter of insecure default configuration. Unless this feature has been disabled, installed Moxa devices can be queried for their configuration by unauthenticated attackers. This is done by sending a specially crafted packet to UDP port 4800.
What SCADAfence Recommends Vendors To Do
This is a case of insecure default configuration, requiring the user to manually disable a service – a process that’s prone to human errors, resulting in vulnerabilities in the field.
- SCADAfence urges industrial vendors to ship their products secure by default, and not rely on their end-users to actively make them secure.
- If end-users want to use an insecure configuration, vendors must ensure the end-users are aware of the risk, and make the change explicit rather than implicit. An example can be seen in the OpenSSH server implementation. By default, a user isn’t allowed to login with an empty password. The server must be configured specifically to allow that. Here’s the respective configuration documentation. I would also add the risk of having users logging in with empty passwords, to make sure that the person who is configuring it understands the risks.
When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings. The default is ”no”.
Special Thanks & Recognition
The SCADAfence Research team would like to thank the Moxa team for a speedy vulnerability reporting process even during the challenging COVID-19 times.
SCADAfence is committed to continued research of offensive technologies and development of new defensive technologies.
How To Check If Your Devices Are Safe
We wrote a Python POC (GPLv3) script of the vulnerability in action. You can download it for free and use this to check if your devices affected by CVE-2020-12117.
To get this free python script, please send an email to firstname.lastname@example.org