Moxa VPort ActiveX SDK Plus Stack-Based Buffer Overflow Vulnerability

Low RiskICS-CERT ICSA-15-097-01Jan 8, 2015

Summary

A stack-based buffer overflow vulnerability exists in Moxa VPort ActiveX SDK Plus component affecting multiple VPort IP camera models and the MxNVR network video recorder. The vulnerability allows arbitrary code execution through specially crafted input that overflows a stack buffer. All affected products are end-of-life with no vendor fix planned.

What this means

What could happen

A stack-based buffer overflow in the Moxa VPort ActiveX SDK Plus component could allow an attacker to execute arbitrary code on systems where the affected software is installed, potentially compromising video surveillance infrastructure or any application using the SDK.

Who's at risk

This vulnerability affects organizations using Moxa VPort IP cameras and video surveillance systems for facility monitoring and security. The MxNVR network video recorder and the entire VPort camera series (26A, 36, 351, 354, 364A, 451, 461, and 56 models) are affected. Any facility using these cameras for perimeter security, traffic monitoring, or critical infrastructure surveillance should assess their exposure.

How it could be exploited

An attacker would craft a malicious input that overflows a buffer in the ActiveX control's stack memory, overwriting the return address to point to attacker-controlled code. This could be delivered through a web page or application that instantiates the vulnerable ActiveX component, requiring the victim to visit or interact with the malicious content.

Prerequisites

System running Windows with ActiveX enabled
Vulnerable version of Moxa VPort ActiveX SDK Plus installed (version <2.8)
User interaction required to load a web page or application containing the malicious input

no patch availableaffects video surveillance systemsstack-based buffer overflow with code execution potentialrequires ActiveX enablement on client systems

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (13)

13 EOL

ProductAffected VersionsFix Status

MxNVR-MO4 Series: <2.8<2.8No fix (EOL)

VPort 26A-1MP Series: <2.8<2.8No fix (EOL)

VPort 351: <2.8<2.8No fix (EOL)

VPort 354: <2.8<2.8No fix (EOL)

VPort 36-1MP Series: <2.8<2.8No fix (EOL)

VPort 364A Series: <2.8<2.8No fix (EOL)

VPort 461: <2.8<2.8No fix (EOL)

VPort 56-2MP Series: <2.8<2.8No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIdentify and inventory all systems running Moxa VPort ActiveX SDK Plus versions prior to 2.8

WORKAROUNDDisable ActiveX controls in web browsers if not required for critical operations

HARDENINGRestrict network access to affected Moxa VPort devices to only authorized management and monitoring networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGApply network segmentation to isolate video surveillance systems from general corporate networks

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: MxNVR-MO4 Series: <2.8, VPort 26A-1MP Series: <2.8, VPort 351: <2.8, VPort 354: <2.8, VPort 36-1MP Series: <2.8, VPort 364A Series: <2.8, VPort 461: <2.8, VPort 56-2MP Series: <2.8, VPort P06-1MP-M12: <2.8, VPort P06HC-1MP-M12 Series: <2.8, VPort P16-1MP-M12-IR Series: <2.8, VPort 451: <2.8, VPort P16-1MP-M12 Series: <2.8. Apply the following compensating controls:

HARDENINGEvaluate replacement of affected Moxa VPort models with current products that receive security updates

CVEs (1)

CVE-2015-0986

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/738c81b1-53d2-40a2-a802-faf3f5ec20d9