Vulnerability Spotlight: Moxa AWK-3131A Multiple Features Login Username Parameter OS Command Injection Vulnerability

This is an adaptation for Steemit of Cisco Talos. if you want to have it in HTML format you can see it here.

This vulnerability is discovered by Patrick DeSantis and Dave McDaniel of Cisco Talos

Today, Talos is disclosing TALOS-2017-0507 (CVE-2017-14459), a vulnerability that has been identified in Moxa AWK-3131A industrial wireless access point.

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. The manufacturer specifically highlights automated materials handling and automated guided vehicles as target markets.

An exploitable OS Command Injection vulnerability exists in the Telnet, SSH and the local login port functionality of Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client in firmware versions 1.4 and newer. An attacker can inject commands via the username parameter, resulting in remote, unauthenticated, root-level operating system command execution.

Moxa has released an updated version of the firmware. Users are advised to download and install the latest release as soon as possible to fix this issue.

Vulnerability Details

The vulnerability appears to be a result of code which creates a log of failed authentication attempts. Any failed login of a service that relies on Busybox loginutils will trigger code similar to the following:

Versions 1.4 - 1.7 sprintf(buf, "/usr/sbin/iw_event_user %s %s %s", IW_LOG_AUTH_FAIL); system(buf)
The input from the username field is passed as to an argument to iw_event_user, which is then passed to system(), allowing for command injection.

Exploitation of this vulnerability has been confirmed via Telnet, SSH, and the local console port. It is suspected that the web application may also be vulnerable as it relies on loginutils and examination of the iw_event_user binary reveals "fail" messages for "WEB", "TELNET", and "SSH".

By default, the device displays stderr output to the console, even without authentication. Redirecting stdout to stderr (using `1>&2`) allows the attacker to receive console output when injecting OS commands.

Older versions of the firmware (1.3 and earlier) appear vulnerable but not as easily exploitable. For example, entering `sh` or `reboot` via the console port on version 1.0 will cause the console to hang/freeze and requires a power cycle to recover. The differences in exploitability between versions is likely do to with a slight difference between the methods of generating log events in v1.4 and earlier versions.

More technical details about this vulnerability are available in the vulnerability report.

Discussion

Industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, are used in industries such as energy providers, manufacturing and critical infrastructure providers in order to control and monitor various aspects of various industrial processes. ICS systems employ many mechanisms and protocols also used in traditional IT systems and networks.

Although some characteristics of traditional IT systems and ICS are similar, ICS also have characteristics that differ in their service level and performance requirements. Many of these differences come from the fact that ICS has a direct effect on the physical world which may also include a risk to the health and safety of the population and a potential to cause damage to the environment. For that reason ICS have unique reliability requirements and may use real-time operating systems and applications that would not be used in everyday IT environments.

ICS devices, including wireless access points, run software which can contain vulnerabilities and serve as a pathway that may allow attackers to take advantage and intrude into an ICS network environment.

Users need to make sure that software updates are regularly applied to access points which will minimize the exposure to known vulnerabilities.

Coverage

The following Snort Rules detect attempts to exploit these vulnerabilities. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For all current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules:

  • 45220

If you like you can vote me as Witness, help me keep posting news about security