On February 14, 2022, researchers from Claroty’s Team82 disclosed several security flaws in Moxa’s MXview web-based network management system. Some of those flaws could be chained by an attacker to achieve remote code execution on unpatched MXview servers. The five vulnerabilities could allow for a remote, unauthenticated threat actor to execute code on a machine with high privileges.
The affected versions (3.x to 3.2.2) have a collective score of 10 out of 10 on the CVSS vulnerability-severity scale. Out of the five vulnerabilities, CVE-2021-38452, CVE-2021-38460 and CVE-2021-38458 can be chained together to achieve remote code execution. The other two vulnerabilities, CVE-2021-38456 and CVE-2021-38454, can be used to lift passwords and other sensitive information. The vulnerabilities were patched in September 2021 after the release of version 3.2.4 but the severity of the flaws was not disclosed until recently.
MXview configures and monitors network devices in industrial control systems and in operational technology networks. There are multiple components to the software, including a MQTT message broker named Mosquito. The message broker transfers messages to and from the various components in the MXview environment. MQTT is where the vulnerabilities lie due to sensitive information (like credentials) being sent through the MQTT channels.
According to Bud Broomhead, (CEO at Viakoo) Moxa’s MXview is a significant software in the overall IoT market, but very few network management vendors focus on it. This means that the significance of the security bugs in MXview is high. Also, not all end users using the software will have the IT resources to quickly mitigate the vulnerabilities – making the high severity vulnerabilities extremely dangerous.
If an attacker is successful in the exploitation of the vulnerabilities, they will be able to create or overwrite critical files to execute code, obtain credentials, read and modify data, gain access to the program, and allow remote connections to internal communication channels. The vulnerabilities are as follows:
Avertium offers Vulnerability Management to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.
MDR provides an in-depth investigation into potential threats on an organization’s network. Avertium’s risk-based approach to managed security delivers the right combination of technology, field-validated threat intelligence, and resource empowerment to reduce complexity, streamline operations, and enhance cybersecurity resilience. If you need a more advanced security solution, MDR is the next step. MDR is an outsourced security control solution that includes the elements of EDR, enhanced with a range of fundamental security processes.
At this time, there are no known IoCs. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.
Moxa MXview Network Management Software | CISA
Critical Security Flaws Reported in Moxa MXview Network Management Software (thehackernews.com)
Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa | Threatpost
Moxa MXview Vulnerabilities Expose Industrial Networks to Attacks | SecurityWeek.Com
Related Reading:
How WhisperGate Affects the U.S. and Ukraine
Contact us for more information about Avertium’s managed security service capabilities.