Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1080
MOXA Weak Entropy in DSA Keys Vulnerability
7 August 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Moxa OnCell Gateway
Publisher: US-CERT
Operating System: Network Appliance
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3039
Original Bulletin:
http://ics-cert.us-cert.gov/advisories/ICSA-13-217-01
- --------------------------BEGIN INCLUDED TEXT--------------------
Advisory (ICSA-13-217-01)
MOXA Weak Entropy in DSA Keys Vulnerability
Original release date: August 05, 2013 | Last revised: August 06, 2013
Researcher Nadia Heninger of the University of California, San Diego, and
researchers Zakir Durumeric, Eric Wustrow, and J. Alex Halderman of the
University of Michigan identified an insufficient entropy vulnerability in
Moxa's OnCell Gateways. Moxa produced and released a firmware upgrade on April
3, 2013, that mitigates this vulnerability.
This vulnerability could be exploited remotely.
Affected Products
The following Moxa OnCell Gateway models (before firmware version 1.4) are
affected:
G3111,
G3151,
G3211, and
G3251.
Impact
An attacker could gain unauthorized access to the gateway by determining the
authentication keys from reused or nonunique SSH and SSL host keys.
Exploitation of this vulnerability could allow an attacker to affect the
confidentiality, integrity, and availability of the OnCell Gateways.
Impact to individual organizations depends on many factors that are unique to
each organization. ICS-CERT recommends that organizations evaluate the impact
of this vulnerability based on their operational environment, architecture, and
product implementation.
Background
Moxa is a Taiwan-based company that maintains offices in several countries
around the world, including the US, UK, India, Germany, France, China, and
Brazil.
The affected products, Moxa OnCell Gateways, are cellular IP gateways that can
conveniently and transparently connect up to two devices to a cellular network.
This allows one to connect their existing Ethernet and serial devices with
basic configuration.
According to Moxa, Moxa OnCell Gateways are deployed across several sectors,
including critical manufacturing, transportation systems, information
technology, water and wastewater, and communications. Moxa estimates that these
products are used globally, are focused mostly in the Asia-Pacific region, and
have smaller deployments in the Americas and Europe.
Vulnerability Characterization
Vulnerability Overview
Insufficient entropy[a]
The OnCell G3111, G3151, G3211, and G3251 gateways do not use sufficient
entropy when generating keys for SSH and SSL connections; therefore, these keys
are vulnerable to exploits. By calculating private authentication keys, an
attacker could gain unauthorized access to the system and read information on
the device, as well as send commands to the device, which would compromise the
integrity and confidentiality of the data and could compromise the
availability.
CVE-2012-3039[b] has been assigned to this vulnerability. A CVSS v2 base score
of 7.1 has been assigned; the CVSS vector string is
(AV:N/AC:H/Au:S/C:C/I:C/A:C).[c]
Vulnerability Details
Exploitability
This vulnerability could be exploited remotely.
Existence of Exploit
No known public exploits specifically target this vulnerability.
Difficulty
An attacker with a high skill level would be able to exploit this
vulnerability.
Mitigation
Moxa released a firmware upgrade (OnCell G3111/G3151/G3211/G3251 Version 1.4)
for these products on April 3, 2013, and is currently in the process of sending
notification to its customers. This upgrade can be downloaded from the Moxa
software download page at the following link:
http://www.moxa.com/support/download.aspx?type=support&id=222. The firmware
upgrade fixes the vulnerability by increasing the entropy in the dynamically
generated keys to avoid nonuniqueness and key reuse.
ICS-CERT encourages asset owners to take additional defensive measures to
protect against this and other cybersecurity risks.
Minimize network exposure for all control system devices. Critical
devices should not directly face the Internet.
Locate control system networks and remote devices behind firewalls, and
isolate them from the business network.
When remote access is required, use secure methods, such as Virtual
Private Networks (VPNs), recognizing that VPN is only as secure as the
connected devices.
ICS-CERT also provides a section for control systems security recommended
practices on the ICS-CERT Web page. Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies.[d] ICS-CERT reminds
organizations to perform proper impact analysis and risk assessment prior to
taking defensive measures.
Additional mitigation guidance and recommended practices are publicly available
in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01B-Targeted Cyber
Intrusion Detection and Mitigation Strategies,[e] that is available for
download from the ICS-CERT Web page (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to ICS-CERT for
tracking and correlation against other incidents.
a. CWE-331: Insufficient Entropy,
http://cwe.mitre.org/data/definitions/331.html, Web site last accessed
August 05, 2013.
b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3039, NIST
uses this advisory to create the CVE Web site report. This Web site will
be active sometime after publication of this advisory.
c. CVSS Calculator,
http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:H/Au:S/C:C/I:C/A:C
Web site last visited August 05, 2013.
d. CSSP Recommended Practices,
http://ics-cert.us-cert.gov/content/recommended-practices, Web site last
accessed August 05, 2013.
e. Targeted Cyber Intrusion Detection and Mitigation Strategies,
http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B, Web site last
accessed August 05, 2013
Contact Information
For any questions related to this report, please contact ICS-CERT at:
Email: ics-cert@hq.dhs.gov
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900
For industrial control systems security information and incident reporting:
http://ics-cert.us-cert.gov
ICS-CERT continuously strives to improve its products and services. You can
help by answering a short series of questions about this product at the
following URL: https://forms.us-cert.gov/ncsd-feedback/.
Legal
For Legal Information pertaining to this document, please consult
http://ics-cert.us-cert.gov/Legal-Disclaimer
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUgGZqhLndAQH1ShLAQIbVQ/9F9V8wmdCoTsZ7pUzAtT4MEUGjCfn7T+9
fzLrr1bd5qPAy3/ZOIydwGHuUrJk9O87E06KuiAywBzSRlXFduceD+xXbJlxsZsV
+k9jU8bqjL+GqZh2EjJC/hP2lSH45ZddpcXL9cBoOntAJub9/CSExKteBONpkBqL
wWCKc2VbeQXhHv3ZsT06mqq2izL+NnuRUS0BFsgnqjePsrEV89Uo9nRg2e7bW3jK
0CYGD5WxWrHUup8/5uqTC58E/0iO6NdWk1Al4+IotsEXYkKePXCwuWG8cnstgTTs
nab4xtisdC+P0is1OmlsKIbQ8iW+RqEXAEz4/k5bKlXrEEGobtZf+HCwWXx74POA
MxdVt57xV7eBz+B/tE/UwY5dQXj3nvkn/W4Qo3cuTIM/GTWizoSPue70L8IJg1EZ
AD/nxIkYNQE6wvwYfXSDw8MiWo36lyweiuNFrMLs0irJBxeOtsIcsr0TX4oAWkAT
RS523Nvl9Ymq81WMhYsWY4yKHBX6n9O6B36BM41Mh2ScSTuXAmWBDgwLjUE7dbKw
m1i5Ipu//PRkgrs5Tk5ivp8x4yAC4tEl0D+p1f3WQaVJ1yeK4TuvcRGfNvlOAzHH
Y69MO+l57aRoLS8bnmQMw8XcMUQLa1ytQV1T5XLjih1wheYDolj/ecyilXBnXe4M
BocKsZuWCSM=
=hdGf
-----END PGP SIGNATURE-----