Risk Based Security is well-known for aggregating vulnerability data and our VulnDB solution that provides vendor and software ratings as well as alerts when new vulnerabilities are released. However, the RBS Research Team also performs in-depth security assessments of software and devices to uncover new vulnerabilities and evaluate secure coding efforts. Assessments may either be requested by RBS clients wanting to ensure products in their IT infrastructure are of a reasonable secure code maturity or our VulnDB team when noticing high profile products in our vulnerability database with no or few vulnerabilities reported.
In May 2015, the Moxa SoftCMS solution was brought to the RBS Research Team's attention. Moxa is based in Taiwan, but has offices around the world and customers in over 70 countries. They provide products for industrial networking, computing, and automation, which are used for factory automation, smart rail, smart grid, intelligent transportation, oil & gas, marine, and mining.
Moxa SoftCMS is a central management software used for managing large scale CCTV installations from a single interface. It allows live video monitoring, video playback, Emap, remote I/O trigger, and event management. The product is primarily used in USA and Europe.
On the surface it may seem insignificant, but the threat to an organization - not only in the digital world, but also physical world - is substantial if an attacker can successfully gain control of a system used to access and manage all of the organization's surveillance cameras. Our Research Team, therefore, decided to take a closer look at this product.
During the assessment, the team decided to focus on two bundled ActiveX controls marked safe-for-scripting. These were interesting as vulnerabilities could be exploitable simply by tricking a user into visiting a malicious website. Within a single day, the team uncovered 7 critical buffer overflow vulnerabilities in these two ActiveX controls and linked libraries. The vulnerabilities were very basic and indicated that the product had a very low secure code maturity. Unfortunately, this underlined the constant critique that ICS/SCADA systems are in poor shape and as Carsten Eiram, our Chief Research Officer, has also seen and documented before.
RBS customers were warned earlier this year after the issues were discovered. The vendor silently issued a fixed version in June 2015, and ICS-CERT released an advisory late August 2015. Last week we published full details on the vulnerabilities, and the report can be found here.
If you need help monitoring and tracking vulnerabilities in your IT infrastructure or better manage your vendors we would welcome the opportunity to do a demo of our Vulnerability Intelligence (VulnDB) and Cyber Risk Analytics (CRA) solutions. If your organization wants an evaluation of a product e.g. internally developed or used in your IT infrastructure, we can also assist with product assessments as well as conducting network vulnerability assessments and penetration tests.
For more information, please contact us via email or call 855-RBS-RISK.