Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility

Monitor7.5ICS-CERT ICSA-20-056-02Feb 25, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in Moxa ioLogik 2500 series controllers (firmware version 3.0 and earlier) and IOxpress configuration utility (version 2.3.0 and earlier). The vulnerabilities include sensitive data transmitted in cleartext (CWE-319), insufficient data protection (CWE-312), and a generic flaw in handling data (CWE-941). Successful exploitation could crash the device or allow unauthorized access to sensitive configuration information without authentication. The vulnerabilities are remotely exploitable over the network.

What this means

What could happen

An attacker with network access could crash ioLogik 2500 series controllers or read sensitive configuration data from them or the IOxpress utility, potentially revealing device settings or credentials used in your water/power system.

Who's at risk

Water and electric utilities using Moxa ioLogik 2500 series controllers (remote IO devices for process monitoring and control) and sites using IOxpress configuration utility to manage these devices. These are typically used in SCADA/RTU applications to read sensor inputs and control field equipment.

How it could be exploited

An attacker on the network segment with the ioLogik 2500 controller or configuration workstation could send specially crafted network requests to extract sensitive data from memory or cause a denial of service. No authentication is required and the vulnerability is remotely exploitable.

Prerequisites

Network access to ioLogik 2500 series controller or IOxpress configuration utility on the same network segment
No valid credentials required

remotely exploitableno authentication requiredlow complexity attackaffects industrial controllersno patch currently available

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

IOxpress configuration utility:≤ 2.3.0No fix (EOL)

ioLogik 2500 series: firmware≤ 3.0No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate ioLogik 2500 series controllers and configuration workstations from the business network; place them behind a firewall and restrict access to authorized engineering personnel only

HARDENINGDisable remote access to ioLogik 2500 series controllers unless absolutely required; if remote access is necessary, enforce it through a VPN with current security patches

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Moxa Technical Support to request and obtain the available security patch for ioLogik 2500 series and IOxpress

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: IOxpress configuration utility:, ioLogik 2500 series: firmware. Apply the following compensating controls:

HARDENINGSegment your control system network so that ioLogik devices are not reachable from the Internet or general business systems

CVEs (3)

CVE-2019-18238 CVE-2020-7003 CVE-2019-18242

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/25cfc82e-b13f-431c-a021-cc7a9aceb493