Vulnerability Spotlight: Hard-coded Credential Flaw in Moxa ICS Wireless Access Points Identified and Fixed

Earlier this month, Talos responsibly disclosed a set of vulnerabilities in Moxa ICS wireless access points. While most of the vulnerabilities were addressed in the previous set of advisories, Talos has continued to work with Moxa to ensure all remaining vulnerabilities that Talos identified are patched. Today in coordination with Moxa, Talos is disclosing the TALOS-2016-0231, a hard-coded credential vulnerability that could allow an attacker to gain complete control of the device. Moxa has released a software update to address TALOS-2016-0231 and other bugs.

Vulnerability Details

This vulnerability was identified by Patrick DeSantis of Talos.

TALOS-2016-0231 (CVE-2016-8717) is a hard-coded credential vulnerability within Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client devices. An undocumented, root-level account with hard-coded credentials exists in these devices with no mechanism to disable or remove the account permanently. An attacker could leverage this account and gain complete control of the device remotely.

The following are the hard-coded credentials:

Username: 94jo3dkru4
Password: moxaiwroot

In the event patching is not possible, it is recommended that you disable remotely-accessible services, such as SSH and Telnet.

Talos has written Snort rules to detect attempts to exploit the vulnerability. Administrators should be aware that these rules are subject to change pending new or additional information regarding this vulnerabilities. For the most current information, we recommend customers review their Defense Centers or visit Snort.org.

Snort Rule: 40758

To view this and other vulnerabilities Talos has disclosed, please visit to our Vulnerability Report Portal:
http://www.talosintelligence.com/vulnerability-reports/

Our Vulnerability Disclosure Policy is also available here:
http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html