Motorola MOSCAD SCADA IP Gateway Vulnerabilities

Monitor7.5ICS-CERT ICSA-15-351-02Sep 19, 2015

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Motorola MOSCAD SCADA IP Gateway contains two vulnerabilities (CWE-98 dynamic code execution and CWE-352 missing CSRF protection) affecting all versions. The gateway is used to bridge SCADA networks with IP-based communications. No vendor fix is available.

What this means

What could happen

An attacker with network access to the gateway could read sensitive data from the SCADA network, including operator credentials, setpoints, and system configuration. The gateway also lacks CSRF protection, allowing an attacker to trigger unauthorized commands if an authenticated operator visits a malicious website.

Who's at risk

Energy utilities operating Motorola MOSCAD SCADA systems should be concerned. The IP Gateway is typically deployed to connect field sensors, RTUs, and PLCs to corporate IT systems or remote monitoring centers. Compromise could expose the entire SCADA network's configuration and operational data.

How it could be exploited

An attacker on the network containing the IP Gateway could send a crafted request that exploits the dynamic code execution vulnerability to extract SCADA data, or trick an authenticated operator into visiting a malicious website to perform unauthorized SCADA commands via CSRF.

Prerequisites

Network access to the MOSCAD SCADA IP Gateway
For CSRF attacks: an authenticated gateway operator visiting an attacker-controlled website

remotely exploitableno authentication required for code executionlow complexityno patch availableaffects SCADA data confidentiality

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

MOSCAD SCADA IP Gateway: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate the MOSCAD IP Gateway from untrusted networks using air-gapped or DMZ architecture

HARDENINGRestrict network access to the gateway to only authorized engineering workstations and control systems using firewall rules

WORKAROUNDRequire operators to avoid visiting untrusted websites while authenticated to the gateway to mitigate CSRF risk

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation to prevent lateral movement if the gateway is compromised

HARDENINGMonitor gateway access logs for suspicious connection attempts or data exfiltration

CVEs (2)

CVE-2015-7935 CVE-2015-7936

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b9dcbbbd-2c2e-4a72-b340-4887b0b8ef75