-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2520
       Multiple vulnerabilities have been identified in Moxa OnCell
                          Central Manager Server
                             30 September 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Moxa OnCell Central Manager Server
Publisher:         Zero Day Initiative
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Mitigation

Original Bulletin: 
   http://www.zerodayinitiative.com/advisories/ZDI-15-452/
   http://www.zerodayinitiative.com/advisories/ZDI-15-453/

Comment: This bulletin contains two (2) Zero Day Initiative security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

(0Day) Moxa OnCell Central Manager Server MessageBrokerServlet Authentication
Bypass Vulnerability

ZDI-15-452: September 29th, 2015

CVSS Score

    7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Vendors

    Moxa

Affected Products

    OnCell Central Manager

TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by
Digital Vaccine protection filter ID 19418. For further product information
on the TippingPoint IPS:

    http://www.tippingpoint.com

Vulnerability Details


This vulnerability allows remote attackers to execute arbitrary
code on vulnerable installations of Moxa OnCell Central Manager
Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the MessageBrokerServlet servlet, which
does not ensure a user is authenticated prior to accepting commands. An
attacker can exploit this condition to perform various actions, including
addUserAndGroup, to take full control of the product and achieve code
execution on all managed hosts.
Vendor Response
Moxa states:

This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI vulnerability disclosure policy on lack of vendor response.

02/05/2015 - ZDI sent reports to ICS-CERT
02/09/2015 - ZDI receieved an ACK and ticket # from ICS-CERT
04/14/2015 - ZDI recieved an update from ICS-CERT that these cases were
in work, but "months out"
04/15/2015 - ZDI reminded ISC-CERT of the prediacted disclosure date,
but indicated some flexibility if the vendor could come close
05/14/2015 - ICS-CERT advised ZDI that the vendor could not patch until
August
05/14/2015 - ZDI agreed to go out to August 5
09/14/2015 - After getting a response that other Moxa cases had patched,
but seemingly not these, ZDI asked ICS-CERT if these did not patch with
the August 27 patch
09/15/2015 - ICS-CERT indicated that they would reach out to the vendor for
clarification and requested extension to do so. ZDI declined an extension,
but indicated we "will wait a couple of days, for a status."
09/18/2015 - ZDI notified ICS-CERT of the intent to 0-day the reports

- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.


Disclosure Timeline

    2015-02-05 - Vulnerability reported to vendor
    2015-09-29 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

    Andrea Micalizzi (rgod)

- --------------------------------------------------------------------------------
(0Day) Moxa OnCell Central Manager Server RequestController Static
Credentials Remote Code Execution Vulnerability

ZDI-15-453: September 29th, 2015

CVSS Score

    7.5, (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Vendors

    Moxa

Affected Products

    OnCell Central Manager

TippingPoint IPS Customer Protection

TippingPoint IPS customers are protected against this vulnerability by
Digital Vaccine protection filter ID 19451. For further product information
on the TippingPoint IPS:

    http://www.tippingpoint.com

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary
code on vulnerable installations of Moxa OnCell Central Manager
Server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the RequestController class. The specific
flaw exists within the login() function which contains hard-coded
credentials. An attacker can exploit this condition to take full control
of the product and achieve code execution on all managed hosts.
Vendor Response
Moxa states:

This vulnerability is being disclosed publicly without a patch in accordance
with the ZDI vulnerability disclosure policy on lack of vendor response.

02/05/2015 - ZDI sent reports to ICS-CERT
02/09/2015 - ZDI receieved an ACK and ticket # from ICS-CERT
04/14/2015 - ZDI recieved an update from ICS-CERT that these cases were
in work, but "months out"
04/15/2015 - ZDI reminded ISC-CERT of the prediacted disclosure date,
but indicated some flexibility if the vendor could come close
05/14/2015 - ICS-CERT advised ZDI that the vendor could not patch until
August
05/14/2015 - ZDI agreed to go out to August 5
09/14/2015 - After getting a response that other Moxa cases had patched,
but seemingly not these, ZDI asked ICS-CERT if these did not patch with
the August 27 patch
09/15/2015 - ICS-CERT indicated that they would reach out to the vendor for
clarification and requested extension to do so. ZDI declined an extension,
but indicated we "will wait a couple of days, for a status."
09/18/2015 - ZDI notified ICS-CERT of the intent to 0-day the reports

- -- Mitigation:
Given the nature of the vulnerability, the only salient mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the clients and servers that have a legitimate
procedural relationship with the service should be permitted to
communicate with it. This could be accomplished in a number of ways,
most notably with firewall rules/whitelisting. These features
are available in the native Windows Firewall, as described in
http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and
numerous other Microsoft Knowledge Base articles.

Disclosure Timeline

    2015-02-05 - Vulnerability reported to vendor
    2015-09-29 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

    Andrea Micalizzi (rgod)

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVgsxMX6ZAP0PgtI9AQKqpw/8DiNE/wA7634f7tZ/XxLCUJ5BfUWPB1t0
6gJ7pvMeMYt5mcG39VUCjeZ3tItnZRcaLZ/9k8VeKxkwKung/0TWAtgO9hynUm9K
xJwaL6Ov851LJzLoeK45sLeEO19QTYccNj5OPVkk1gjcrGs4J1awVhmfShGUf0/y
UlcROFBP3Z4jgp6yMYimNd/Kk5RX1qcJCoUSBPE78+IIGbAbv/bZb7K5uBKKBmoY
xhY1RsaFmMPm3iQxYkp2DXj7+kXRpTPQn/ec8FKv77CIKoEWaaUtfmWrqbh7bhe3
H/e0npRArQOrQzI+bXTOe+XBD7/S+JGeO/a0CBPBqKMIiKDrkA6ZUIc720VzMZrT
OdVa7TpIYiNLOauJ5LMOTihG4SX+CCk9JyGUooJdMKpNHI0e8xGNtZytzpSotCSq
5WGSJHUuulX3zLNp/OHYJuQkRG98+OeiFBzjKWqn+pqJb2VJMXsukQoSfuW/B9hz
cR/4en+a2i1zocZQ6RrFmt2Sx1Z5XPnqeCP+uYT7KTBQgbHOqkcvWDZStBgSgSMS
iImX+j4mVtQBQdRkC9u6RhAs9cj8fm6ojy2N6AVy/YW4wXFD3oSvxXOrsFZ9lAIo
YaJtmY4QDValm5LCwBJ9+CY7yAjabLkcKa12z34u6Il3c2o1VJtwdTig5nc74P3y
d+4sGL44iyk=
=sVlV
-----END PGP SIGNATURE-----