Vulnerabilities > CVE-2017-14436 - NULL Pointer Dereference vulnerability in Moxa Edr-810 Firmware 4.1

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
moxa
CWE-476

Summary

An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXA\_CFG2.ini" without a cookie header to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
OS
Moxa
1
Hardware
Moxa
1

Common Weakness Enumeration (CWE)

Seebug

bulletinFamilyexploit
description### Summary An exploitable denial of service vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP URI can cause a null pointer dereference resulting in denial of service. An attacker can send a GET request to "/MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini" without a cookie header to trigger this vulnerability. ### Tested Versions Moxa EDR-810 V4.1 build 17030317 ### Product URLs https://www.moxa.com/product/EDR-810.htm ### CVSSv3 Score 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ### CWE CWE-476 - NULL Pointer Dereference ### Details This device is marketed as a secure ICS (Industrial Control System) router. This device will likely be found in industrial environments such as power generation/distribution, water treatment, manufacturing, etc. This specific vulnerability causes the web server to crash. A GET request to /MOXA_LOG.ini, /MOXA_CFG.ini, or /MOXA_CFG2.ini without a cookie header will cause the binary to crash. Authentication is not required for this vulnerability. ### CVE-2017-14435 - /MOXA_CFG.ini In the following code snippet, R0 is nil if the cookie header is not set. ``` .text:0001B544 LDR R0, [R11,#s1] ; s1 .text:0001B548 LDR R1, =aMoxa_cfg_ini_0 ; "/MOXA_CFG.ini" .text:0001B54C BL strcmp ``` ### CVE-2017-14436 - /MOXA_CFG2.ini In the following code snippet, R0 is nil if the cookie header is not set. ``` .text:0001B55C LDR R0, [R11,#s1] ; s1 .text:0001B560 LDR R1, =aMoxa_cfg2_ini ; "/MOXA_CFG2.ini" .text:0001B564 BL strcmp ``` ### CVE-2017-14437 - /MOXA_LOG.ini In the following code snippet, R0 is nil if the cookie header is not set. ``` .text:0001B574 LDR R0, [R11,#s1] ; s1 .text:0001B578 LDR R1, =aMoxa_log_ini_0 ; "/MOXA_LOG.ini" .text:0001B57C BL strcmp ``` ### Exploit Proof-of-Concept ``` curl -v 192.168.127.254/MOXA_LOG.ini ``` OR ``` curl -v 192.168.127.254/MOXA_CFG.ini ``` OR ``` curl -v 192.168.127.254/MOXA_CFG2.ini ``` ### Timeline * 2017-11-15 - Vendor Disclosure * 2017-11-19 - Vendor Acknowledged * 2017-12-25 - Vendor provided timeline for fix (Feb 2018) * 2018-01-04 - Timeline pushed to mid-March per vendor * 2018-03-24 - Talos follow up with vendor for release timeline * 2018-03-26 - Timeline pushed to 4/13/18 per vendor * 2018-04-12 - Vendor patched & published new firmware on website * 2018-04-13 - Public Release
idSSV:97225
last seen2018-06-26
modified2018-04-16
published2018-04-16
reporterMy Seebug
titleMoxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities(CVE-2017-14435 - CVE-2017-14437)

Talos

idTALOS-2017-0474
last seen2019-05-29
published2018-04-13
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0474
titleMoxa EDR-810 Web Server strcmp Multiple Denial of Service Vulnerabilities