Vulnerabilities > CVE-2017-14435 - NULL Pointer Dereference vulnerability in Moxa Edr-810 Firmware 4.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXA\_CFG.ini" without a cookie header to trigger this vulnerability.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 | |
| Hardware | 1 |
Common Weakness Enumeration (CWE)
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini" without a cookie header to trigger this vulnerability. ### Tested Versions Moxa EDR-810 V4.1 build 17030317 ### Product URLs https://www.moxa.com/product/EDR-810.htm ### CVSSv3 Score 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ### CWE CWE-476 - NULL Pointer Dereference ### Details This device is marketed as a secure ICS (Industrial Control System) router. This device will likely be found in industrial environments such as power generation/distribution, water treatment, manufacturing, etc. This specific vulnerability causes the web server to crash. A GET request to /MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini without a cookie header will cause the binary to crash. Authentication is not required for this vulnerability. ### CVE-2017-14435 - /MOXA_CFG.ini In the following code snippet, R0 is nil if the cookie header is not set. ``` .text:0001B544 LDR R0, [R11,#s1] ; s1 .text:0001B548 LDR R1, =aMoxa_cfg_ini_0 ; "/MOXA_CFG.ini" .text:0001B54C BL strcmp ``` ### CVE-2017-14436 - /MOXA_CFG2.ini In the following code snippet, R0 is nil if the cookie header is not set. ``` .text:0001B55C LDR R0, [R11,#s1] ; s1 .text:0001B560 LDR R1, =aMoxa_cfg2_ini ; "/MOXA_CFG2.ini" .text:0001B564 BL strcmp ``` ### CVE-2017-14437 - /MOXA_LOG.ini In the following code snippet, R0 is nil if the cookie header is not set. ``` .text:0001B574 LDR R0, [R11,#s1] ; s1 .text:0001B578 LDR R1, =aMoxa_log_ini_0 ; "/MOXA_LOG.ini" .text:0001B57C BL strcmp ``` ### Exploit Proof-of-Concept ``` curl -v 192.168.127.254/MOXA_LOG.ini ``` OR ``` curl -v 192.168.127.254/MOXA_CFG.ini ``` OR ``` curl -v 192.168.127.254/MOXA_CFG2.ini ``` ### Timeline * 2017-11-15 - Vendor Disclosure * 2017-11-19 - Vendor Acknowledged * 2017-12-25 - Vendor provided timeline for fix (Feb 2018) * 2018-01-04 - Timeline pushed to mid-March per vendor * 2018-03-24 - Talos follow up with vendor for release timeline * 2018-03-26 - Timeline pushed to 4/13/18 per vendor * 2018-04-12 - Vendor patched & published new firmware on website * 2018-04-13 - Public Release |
| id | SSV:97225 |
| last seen | 2018-06-26 |
| modified | 2018-04-16 |
| published | 2018-04-16 |
| reporter | My Seebug |
| title | Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities(CVE-2017-14435 - CVE-2017-14437) |
Talos
| id | TALOS-2017-0474 |
| last seen | 2019-05-29 |
| published | 2018-04-13 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0474 |
| title | Moxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities |