工具分享 技术分享

Moxa Nport串口服务器漏洞全球统计报告(Moxa Nport Vulnerability Global Census Report)

ICS-ALERT-16-099-01

ICS-CERT在4月8日发布了ICS-ALERT-16-099-01,报告中指出了
Moxa NPort model 6110, firmware Version 1.13,
Moxa NPort model 5110, firmware Version 2.5,
Moxa NPort models 5130 and 5150, firmware Version 3.5, and
Moxa NPort models 6150, 6250, 6450, 6610, and 6650, with firmware Version 1.13.
如上版本的存在以下安全漏洞:
1、 未经验证的检索敏感账户信息
2、 未经身份验证的远程固件更新
3、 缓冲区溢出
4、 XSS
5、 CSRF
这些问题由Digitalbond LabsBasecamp for Serial Converters研究项目中被发现,同时在今年3月15日Rapid7的博客中也提到了Moxa Nport空凭据的问题,并且发现超过2200个设备通过互联网访问,其中46%没有密码保护。

什么是串口服务器?

串口服务器是一种具有串口转以太网功能的设备,他能将RS-232/485/422串口转换成TCP/IP网络接口,串口服务器可以通过client和server模式来实现数据的传输,串口服务器广泛的应用在SCADA数据采集环节上,用于解决串口和以太网的通信问题。Nport是Moxa的一个串口服务器系列,应用在国内和全球应用都很广泛。
nport

Moxa Nport全网分布情况

我们使用了一种Nport的UDP协议对Moxa Nport系列的设备进行了全网的扫描,针对Moxa Nport全网的扫描统计我们扫描器首次扫描时间在2015年的4月中旬,来自我们节点的最新全网数据显示,有8900多个Nport不同型号的设备连接到公网。根据国家的分布情况,其中接入互联网使用Nport最多的国家为俄罗斯,然后就是Moxa总部所在的台湾。如下是Nport串口服务器接入最多的国家排行TOP30。
moxa-nport-census-2016-04-09

Moxa Nport在全网出现了那些型号?

我们对最新扫描到数据的设备信息字段进行数据统计,整理了接入互联网的Nport各型号排行TOP30情况。

60%的没有设置密码保护

我们的扫描规则具备检查Nport设备是否设置密码的功能,在读取到设备状态的5627条数据中我们发现高达3383条数据没有设置密码保护口令,空口令的比率高达了60%。

会导致什么问题?

Nport在没有配置口令的情况下就意味着任何人可以监视设备和更改Nport的所有设置,攻击者可能使用上传未经验证的固件导致设备宕机。

怎么解决这个问题?

Digitalbond Labs建议能访问设备的UDP/4800, TCP/4900, TCP/80, TCP/443, TCP/23, TCP/22,UDP/161端口的来源是可信任的。

我们提供的检测脚本

我们实验室已经发布了一个基于NMAP枚举Moxa Nport串口服务器的通用脚本。该脚本可以枚举Moxa Nport的设备型号,并读取当前Nport是否设置了密码。

我们本次提供了极少用于概念验证的IP数据,这些数据来自我们的全网扫描统计,同时也用于说明用户在使用Nport时普遍不设置密码的情况。脚本和验证数据样本可以到这里下载:
https://github.com/Z-0ne/MoxaNportScan

本文由灯塔实验室原创,转载请注明出处。

About Z-0ne

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

最新工业控制系统漏洞

ICS-CERT Advisory Feed
Philips PageWriter TC10, TC20, TC30, TC50, and TC70 Cardiographs

This medical device advisory includes mitigation recommendations for improper input validation and use of hard-coded credentials vulnerabilities in Ph. . . read more Thu, 16 Aug 2018 10:10:15 EDT

Emerson DeltaV DCS Workstations

This advisory includes mitigation recommendations for uncontrolled search path element, relative path traversal, improper privilege management, and st. . . read more Thu, 16 Aug 2018 10:05:11 EDT

Tridium Niagara

This advisory was originally posted to the HSIN ICS-CERT library on July 10, 2018, and is being released to the NCCIC/ICS-CERT website. This advisory. . . read more Thu, 16 Aug 2018 10:00:55 EDT

Philips IntelliSpace Cardiovascular Vulnerabilities

This medical advisory includes mitigation recommendations for improper privilege management and unquoted search path vulnerabilities in Philips'. . . read more Tue, 14 Aug 2018 10:15:11 EDT

Siemens SIMATIC STEP 7 and SIMATIC WinCC

This advisory includes mitigation recommendations for incorrect default permissions vulnerabilities in Siemens' STEP 7 and SIMATIC WinCC TIA Port. . . read more Tue, 14 Aug 2018 10:10:11 EDT

Siemens OpenSSL Vulnerability in Industrial Products

This advisory includes mitigations for OpenSSL vulnerabilities reported in various Siemens industrial products.. . . read more Tue, 14 Aug 2018 10:05:47 EDT

Siemens Automation License Manager

This advisory includes mitigation recommendations for relative path traversal and improper input validation vulnerabilities in Siemens' Automatio. . . read more Tue, 14 Aug 2018 10:00:11 EDT

Crestron TSW-X60 and MC3

This advisory includes mitigation recommendations for OS command injection, improper access control, and insufficiently protected credentials vulnerab. . . read more Thu, 09 Aug 2018 10:05:01 EDT

NetComm Wireless 4G LTE Light Industrial M2M Router

This advisory includes mitigation recommendations for information exposure, cross-site forgery, cross-site scripting, and information exposure through. . . read more Thu, 09 Aug 2018 10:00:01 EDT

Medtronic MyCareLink 24950 Patient Monitor

This medical device advisory includes mitigation recommendations for insufficient verification of data authenticity and storing passwords in a recover. . . read more Tue, 07 Aug 2018 10:10:31 EDT

Medtronic MiniMed 508 Insulin Pump

This medical device advisory includes mitigation recommendations for cleartext transmission of sensitive information and authentication bypass by capt. . . read more Tue, 07 Aug 2018 10:05:37 EDT

Delta Electronics CNCSoft and ScreenEditor

This advisory includes mitigation recommendations for stack-based buffer overflow and out-of-bounds read vulnerabilities in Delta Electronics' CN. . . read more Tue, 07 Aug 2018 10:00:01 EDT

Davolink DVW-3200N

This advisory includes mitigation recommendations for a use of password hash with insufficient computational effort vulnerability in the Davolink DVW-. . . read more Tue, 31 Jul 2018 10:20:41 EDT

Johnson Controls Metasys and BCPro

This advisory includes mitigation recommendations for an information exposure through an error message vulnerability in Johnson Controls' Metasys. . . read more Tue, 31 Jul 2018 10:15:01 EDT

WECON LeviStudioU

This advisory includes mitigation recommendations for stack-based buffer overflow and heap-based buffer overflow vulnerabilities in WECON's LeviS. . . read more Tue, 31 Jul 2018 10:10:01 EDT

AVEVA InTouch Access Anywhere

This advisory includes mitigation recommendations for a cross-site scripting vulnerability in the outdated and insecure third-party jQuery library use. . . read more Tue, 31 Jul 2018 10:05:20 EDT

AVEVA Wonderware License Server

This advisory includes mitigation recommendations for an improper restriction of operations within the bounds of a memory buffer vulnerability in the. . . read more Tue, 31 Jul 2018 10:00:30 EDT

AVEVA InduSoft Web Studio and InTouch Machine Edition

This advisory includes mitigation recommendations for a stack-based buffer overflow vulnerability in AVEVA's InduSoft Web Studio and InTouch Mach. . . read more Thu, 19 Jul 2018 10:15:17 EDT

AVEVA InTouch

This advisory includes mitigation recommendations for a stack-based buffer overflow vulnerability in AVEVA's InTouch HMI software.. . . read more Thu, 19 Jul 2018 10:10:01 EDT

Echelon SmartServer 1, SmartServer 2, SmartServer 3, i.LON 100, i.LON 600

This advisory includes mitigation recommendations for information exposure, authentication bypass using an alternate path or channel, unprotected stor. . . read more Thu, 19 Jul 2018 10:05:16 EDT