Moxa EDR-810 Web Server Weak Cryptography for Passwords Vulnerability(CVE-2017-12129)

### Summary An exploitable Weak Cryptography for Passwords vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. An attacker could intercept weakly encrypted passwords and could brute force them. ### Tested Versions Moxa EDR-810 V4.1 build 17030317 ### Product URLs https://www.moxa.com/product/EDR-810.htm ### CVSSv3 Score 3.5 - CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N ### CWE CWE-216 - Weak Cryptography for Passwords ### Details After the initial login, each authenticated request sends a HTTP packet with a MD5 hash of the password. This hash is not salted and can be cracked, revealing the device's password. ### Exploit Proof-of-Concept In the Cookie there is a PASSWORD= parameter. This parameter contain a MD5 of the users password. ``` GET /overview.asp HTTP/1.1 Host: 192.168.127.254 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.127.254/home.asp?action=go Cookie: sysnotify_support=yes; sysnotify_loginStatus=initial; lasttime=1506954769474; NAME=admin; PASSWORD=1cf17e0c60ed7ecb0977fdfc0e218c65; AUTHORITY=0; Auto-Logout_Time=3600000; sessionID=2933537563 Connection: keep-alive ``` ### Timeline * 2017-11-15 - Vendor Disclosure * 2017-11-19 - Vendor Acknowledged * 2017-12-25 - Vendor provided timeline for fix (Feb 2018) * 2018-01-04 - Timeline pushed to mid-March per vendor * 2018-03-24 - Talos follow up with vendor for release timeline * 2018-03-26 - Timeline pushed to 4/13/18 per vendor * 2018-04-12 - Vendor patched & published new firmware on website * 2018-04-13 - Public Release