CVE-2017-13698

Vulnerability

An issue was discovered in MOXA EDS-G512E switches running firmware version 5.1 build 16072215. The vulnerability resides in the inclusion of default public and private keys within the firmware image. This allows an attacker to obtain these keys by downloading the firmware from the MOXA website and extracting them. The keys are embedded in the firmware and are not unique per device, meaning all switches with default settings share the same cryptographic material [1].

Exploitation

To exploit this vulnerability, an attacker needs to obtain the firmware image from the MOXA website, which is publicly available. The attacker can then extract the embedded public and private keys using standard firmware analysis tools. With the keys in hand, the attacker can target any production switch that has not had its default keys replaced. No authentication is required to retrieve the firmware, and no user interaction is needed on the target switch.

Impact

Successful exploitation allows an attacker to decrypt encrypted communications, impersonate the switch, or perform other cryptographic operations that rely on the default keys. This can lead to information disclosure, man-in-the-middle attacks, or unauthorized access to the network segment managed by the switch. The compromise affects the confidentiality and integrity of network traffic, potentially enabling further attacks within the industrial control system.

Mitigation

MOXA has not publicly disclosed a specific fix in the available references. Users are advised to update the firmware to a version that removes default keys or allows key customization. If no update is available, workarounds include manually replacing the keys via the device's key management interface or implementing network segmentation to limit exposure. The vulnerability is not currently listed on the CISA KEV.