Overview

On February 14, 2022, researchers from Claroty’s Team82 disclosed several security flaws in Moxa’s MXview web-based network management system. Some of those flaws could be chained by an attacker to achieve remote code execution on unpatched MXview servers. The five vulnerabilities could allow for a remote, unauthenticated threat actor to execute code on a machine with high privileges.  

The affected versions (3.x to 3.2.2) have a collective score of 10 out of 10 on the CVSS vulnerability-severity scale. Out of the five vulnerabilities, CVE-2021-38452, CVE-2021-38460 and CVE-2021-38458 can be chained together to achieve remote code execution. The other two vulnerabilities, CVE-2021-38456 and CVE-2021-38454, can be used to lift passwords and other sensitive information. The vulnerabilities were patched in September 2021 after the release of version 3.2.4 but the severity of the flaws was not disclosed until recently.  

MXview configures and monitors network devices in industrial control systems and in operational technology networks. There are multiple components to the software, including a MQTT message broker named Mosquito. The message broker transfers messages to and from the various components in the MXview environment. MQTT is where the vulnerabilities lie due to sensitive information (like credentials) being sent through the MQTT channels.  

According to Bud Broomhead, (CEO at Viakoo) Moxa’s MXview is a significant software in the overall IoT market, but very few network management vendors focus on it. This means that the significance of the security bugs in MXview is high. Also, not all end users using the software will have the IT resources to quickly mitigate the vulnerabilities – making the high severity vulnerabilities extremely dangerous.  

If an attacker is successful in the exploitation of the vulnerabilities, they will be able to create or overwrite critical files to execute code, obtain credentials, read and modify data, gain access to the program, and allow remote connections to internal communication channels. The vulnerabilities are as follows:  

  • CVE-2021-38452 - A path traversal vulnerability in the application that allows for the overwrite of critical files used to execute code 
  • CVE-2021-38454 - A misconfigured service that allows remote connections to MQTT 
  • CVE-2021-38456 – Allows for the use of hard-coded passwords 
  • CVE-2021-38458  - Issue with improper neutralization of special elements that could lead to remote execution of unauthorized commands 
  • CVE-2021-38460 – This could allow an attacker to obtain credentials 

 


How Avertium is Protecting Our Customers:

  • We offer EDR endpoint protection through SentinelOne, Sophos, and Microsoft Defender.  
    • SentinelOne prevents threats and extends protection from the endpoint to beyond. Find threats and eliminate blind spots with autonomous, real time, index-free threat ingestion and analysis that supports structured, unstructured, and semi-structured data.  
  • Avertium offers VMaaS to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.  
  • MDR provides an in-depth investigation into potential threats on an organization’s network. Avertium’s risk-based approach to managed security delivers the right combination of technology, field-validated threat intelligence, and resource empowerment to reduce complexity, streamline operations, and enhance cybersecurity resilience. If you need a more advanced security solution, MDR is the next step. MDR is an outsourced security control solution that includes the elements of EDR, enhanced with a range of fundamental security processes. 



Avertium's recommendations

Moxa recommends that its users do the following:  
  • Upgrade to software package v3.2.4 or higher. 
  • Users should change their Windows password regularly and use a firewall. 
  • If users need to use a multiple-site function, Moxa recommends a firewall to block Port 8883. If users do not have this requirement, Moxa suggests using the firewall to assign the Accessible IP of MXview at the client site. 
Avertium and CISA recommend:  
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. 
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network. 
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 
  • Perform proper impact analysis and risk assessment prior to deploying defensive measures. 



 

INDICATOR'S OF COMPROMISE (IOCS):

At this time, there are no known IoCs. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.   

 

 

references

Moxa MXview Network Management Software | CISA 

Critical Security Flaws Reported in Moxa MXview Network Management Software (thehackernews.com) 

Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa | Threatpost 

Moxa MXview Vulnerabilities Expose Industrial Networks to Attacks | SecurityWeek.Com 

 

Related Reading:

How WhisperGate Affects the U.S. and Ukraine

 

Contact us for more information about Avertium’s managed security service capabilities.