A CISA advisory was issued yesterday for a new vulnerability (CVE-2020-14511) affecting Moxa EDR-G902 and EDR-G903 series routers, versions 5.4 and prior. The CISA advisory comes nearly a month after Moxa published its own advisory on June 15. Discovered by Team82's Tal Keren, CVE-2020-14511 could allow an attacker to crash affected devices and/or carry out remote code execution.
Widely used across critical infrastructure sectors such as manufacturing, energy, and transportation, Moxa EDR-G902 and EDR-G903 are industrial VPN servers with an all-in-one secure router, which includes a firewall and network access translation (NAT). Since EDR G902/G903 are often exposed to the internet, attackers could potentially leverage the discovered vulnerability as a gateway to targeted operational technology (OT) environments.
Amid the current COVID-19 pandemic, far more employees are working from home than under normal circumstances, making many industrial OT environments particularly dependent on VPN solutions such as Moxa EDR-G902 and EDR-G903. Claroty researchers believe this heightened reliance may increase the potential impact of these vulnerabilities being exploited.
Classified as a stack-based overflow vulnerability (CWE-121), CVE-2020-14511 has been assigned a CVSS v3 base score of 9.8. Exploiting this vulnerability, a single, specifically crafted HTTP request could be enough to trigger a stack-based overflow in the system web server, potentially enabling remote code execution without authentication.
Moxa EDR-G902 and EDR-G903 use a GoAhead-based web server implemented in the /magicP/WebServer/webs binary to handle HTTP/HTTPS requests to port 80 and 443. To verify authentication, the websSecurityHandler function checks the cookie set by the client-side user before accessing any page.
At the beginning of the websSecurityHandler function, the cookie is copied to a static buffer on the stack. Since the user's cookie length is not verified before being copied to the stack, an adversary could cause a stack-buffer overflow by providing a user-supplied cookie longer than 0x200 bytes. No prior authentication is required. From there, it could be relatively easy for an adversary to escalate the attack to fully execute remote code on the affected device.
The image below shows the pseudo code created by Claroty researchers based on their understanding of the websSecurityHandler function:
Organizations unable to immediately apply the firmware update can adopt the following defensive measures recommended by CISA to recommend exploitation of this vulnerability:
Minimize network exposure for all industrial control systems (ICS) and devices, ensuring they are not connected to the internet.
Protect ICS systems and devices with firewalls, and isolate them from your organization's business network.
Leverage VPNs or other secure methods when remote access is required, while keeping these defense measures updated to the most current version available.