Moxa OnCell Vulnerabilities (Update A)

Act Now9.8ICS-CERT ICSA-16-236-01AMay 27, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Moxa OnCell G3100V2 and G3111/G3151/G3211/G3251 series cellular routers contain authentication bypass and weak credential vulnerabilities (CWE-307, CWE-256) that allow remote attackers without valid credentials to access the device management interface and execute arbitrary commands, combined with a cross-site scripting flaw (CWE-79). All affected product versions prior to those listed (which have no fixes) are vulnerable.

What this means

What could happen

An attacker with network access to a Moxa OnCell device could authenticate without valid credentials and execute arbitrary code, potentially allowing remote control of the cellular industrial router and interception of communications.

Who's at risk

Water authorities and electric utilities using Moxa OnCell G3100V2 or G3111/G3151/G3211/G3251 series cellular routers for remote site connectivity, SCADA communications, or failover links. These devices are commonly deployed at substations, pump stations, and remote telemetry locations to provide network access over cellular links.

How it could be exploited

An attacker on the network could connect to the Moxa OnCell web interface or management port, bypass authentication using weak or default credentials (CWE-307, CWE-256), and inject malicious commands or code that execute on the device. This could be chained with network access to intercept or modify data passing through the router.

Prerequisites

Network access to the Moxa OnCell device management interface (HTTP/HTTPS port, typically 80 or 443)
Device must be reachable from your IT network or any network segment the device is attached to

remotely exploitableno authentication requiredlow complexityno patch availablecritical CVSS (9.8)

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

OnCell G3100V2 Series: <2.8<2.8No fix (EOL)

OnCell G3111/G3151/G3211/G3251 Series: <1.7<1.7No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDImplement strict network access controls: restrict access to the OnCell management interface (HTTP/HTTPS ports) to authorized engineering workstations or a jumphost using firewall rules or network segmentation

HARDENINGChange all default credentials on Moxa OnCell devices immediately, using strong, unique passwords (at least 12 characters, mixed case, numbers, and symbols)

HARDENINGDisable remote management access if not required for operations; use only local/console access for configuration

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: OnCell G3100V2 Series: <2.8, OnCell G3111/G3151/G3211/G3251 Series: <1.7. Apply the following compensating controls:

HARDENINGSegment the cellular router from the main OT network using a dedicated VLAN or DMZ if it must be remotely managed

CVEs (3)

CVE-2016-5799 CVE-2016-5812 CVE-2016-5819

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aa7161a7-89ea-484c-9ff5-6196f33be0ff