Cisco’s Talos intelligence and research group has conducted a two-week analysis of an industrial wireless access point (AP) from Taiwan-based Moxa and discovered more than a dozen vulnerabilities, including ones that can be exploited to take full control of a device.
A blog post published by Talos on Monday describes the vulnerabilities found by researchers during their tests. All of the flaws have been addressed by Moxa, except for one critical weakness, whose details will not be disclosed until a patch becomes available.
Experts focused on Moxa’s AWK-3131A AP, which is recommended for any type of industrial wireless application.
On the first day of testing, researchers identified the services available on the BusyBox-powered device, including SSH (Dropbear), Telnet, HTTP and HTTPS. Talos said Moxa agreed to share the source code of its BusyBox implementation for proper analysis.
Researchers first identified some authentication issues that made it easy for attackers to launch dictionary attacks against the web interface’s login page, and flaws that allowed hackers to hijack user sessions.
On the third day of the investigation, researchers discovered many cross-site scripting (XSS) vulnerabilities in the front-end of the web interface. These flaws can be exploited to hijack user sessions and gain access to the web interface.
Once they are authenticated, attackers can exploit one of the several command injection vulnerabilities in order to gain full control of the targeted AP.
Several of the security holes found by Talos can allow malicious actors to obtain potentially valuable information without any authentication, including passwords, firewall rules and network configuration data.
Experts have also uncovered a denial-of-service (DoS) vulnerability that can be exploited remotely to crash the web application.
On the last day of testing, researchers identified several cryptography-related issues. Specifically, they determined that the Moxa AP used an outdated version of OpenSSL (1.0.0d from 2011) and it had been vulnerable to attacks such as POODLE and DROWN.
“Our research demonstrates how many vulnerabilities can be quickly discovered by analyzing a device,” Talos researchers said. “There is nothing to suggest that this device is more or less vulnerable than any other. Indeed, the vulnerabilities we discovered are exactly the types of vulnerabilities likely to be discovered on any ICS device.”