Hi! Please sign in Home >  Support > Technical FAQs

Technical FAQs
Question Moxa Statement Regarding ICS-VU-240049 Report on Moxa ioLogik E1200
Question Type Security Advisory
Updated 9/5/2017 12:18:29 PM
Hits 1
Products ioLogik E2210,ioLogik E2212,ioLogik E2240,ioLogik E2262,ioLogik E1262,ioLogik E2260,ioLogik E2242,ioLogik E2214,ioLogik E1211,ioLogik E1212,ioLogik E1241,ioLogik E1242,ioLogik E1260,ioLogik E1210,ioLogik E1214,ioLogik E1240,ioLogik E1213,ioLogik E1261W-T,ioLogik E1261H-T,ioLogik E1263H-T
Suggestions

On Aug. 11, Moxa was contacted by ICS-CERT regarding security vulnerabilities of the ioLogik E1200 series remote I/O reported by Applied Risk. The four reported vulnerabilities are:

Suggested Mitigation

Item Vulnerability Type Impact
1 Multiple Stored Cross Site Scripting - XSS An authenticated user can execute arbitrary code from the web console.
2 Password sent via HTTP GET method In the HTTP web console, the password is not encrypted during the HTTP get request.
3 Password truncation With a brute force attack tool, it is possible to guess simple passwords. (e.g. password 12345678 or abcd1234)
4 Missing CSRF Protection An attacker may send requests by making a legitimate user click on a link.

Moxa recommends that customers should:

  • ? Use a firewall or a VPN tunnel to protect internet communication.
  • ? Minimize network exposure with strict access control to the control systems
  • ? Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • ? Enable the “Accessible IP List” feature of the ioLogik products to prevent any unauthorized access to the administrative web management interface
  • ? Set up strong passwords with a mix of special characters
  • ? Upgrade existing products after Moxa releases BETA or STD firmware

Affected Products and Solution Patch Plan

In addition to the ioLogik E1200 series, we also found the same vulnerability in the ioLogik E2200 series. The product status and patch plan are covered in the table below. For any urgent needs, please contact Moxa Technical Support to get the fixed beta firmware.

Product Line Affected? Beta Firmware Release STD Firmware Release
ioLogik E1200 series Yes August 22nd, 2016 September 30th, 2016
ioLogik E2200 series Yes September 2nd, 2016 October 31st, 2016

Related Questions
Provide Feedback
Quality of this article
Poor                Excellent