60 Vulnerabilities Affecting Moxa Railway Communication Devices- Nearly 60 vulnerabilities have been discovered in railway and other types of wireless communication devices manufactured by Taiwan-based industrial networking and automation firm Moxa.
SEC Consult, which is owned by Atos, announced last week that one of its researchers uncovered two new vulnerabilities in Moxa devices, as well as other obsolete third-party software components that introduce dozens of issues.
According to SEC Consult, Moxa devices are vulnerable to a command injection flaw (CVE-2021-39279) that can be used by an authenticated attacker to compromise the device’s operating system, as well as a reflected cross-site scripting (XSS) flaw that can be used to compromise the device’s operating system using a specially crafted configuration file (CVE-2021-39278).
More than 50 more vulnerabilities in third-party components such as the GNU C Library (glibc), the DHCP client in BusyBox, the Dropbear SSH software, the Linux kernel, and OpenSSL have also been uncovered in the last decade, affecting the products.
For the vulnerabilities, Moxa has issued two separate advisories. The influence on the TAP-323, WAC-1001, and WAC-2004 series devices, which are built for railways, is described in one of them. The TAP-323 is a trackside wireless access point for train-to-ground wireless communications, whereas the WACs are rail wireless access controllers.
Patches are available for the TAP-323 and WAC-1001 products, but the WAC-2004 series devices have been withdrawn, and Moxa has recommended consumers to take steps to mitigate the risk of exploitation.
While SecurityWeek hasn’t undertaken an investigation to see if the XSS and command injection weaknesses can be chained, Thomas Weber, the SEC Consult researcher who revealed the vulnerabilities to Moxa, believes it is doable. To gain the information needed to get authorised on the system and exploit the command injection, an attacker would need to deceive an authenticated user into clicking on a link that would activate the XSS.
If an attacker gains access to the vulnerable devices’ web-based management interface and obtains login credentials — which might be gained in a variety of ways — they will be able to take control of the entire device with persistent access.
“All you need are the device credentials to exploit the command injection, and you have access to the internal network,” Weber explained.
When asked about the impact of a hacker on train operations, the researcher said it’s difficult to say how much disruption a hacker may cause because it relies on the “criticality of the communications that are sent through the device.”
An authenticated attacker might use the command injection vulnerability to permanently brick a device, disrupting wireless connections. An attacker may also use the web interface to turn off the device.
Moxa’s WDR-3124A series wireless routers and OnCell’s G3470A-LTE series industrial cellular gateways are both affected by the same 60 vulnerabilities. For these goods, the vendor has issued a separate advisory. Only cellular gateway patches have been published, although mitigations are available for enterprises still utilising the discontinued product.
While exploitation in most cases would require access to the network housing the targeted devices, according to a Shodan search, about 60 compromised cellular gateways could be vulnerable to internet attacks.