On February 14, 2022, researchers from Claroty’s Team82 disclosed several security flaws in Moxa’s MXview web-based network management system. Some of those flaws could be chained by an attacker to achieve remote code execution on unpatched MXview servers. The five vulnerabilities could allow for a remote, unauthenticated threat actor to execute code on a machine with high privileges.
The affected versions (3.x to 3.2.2) have a collective score of 10 out of 10 on the CVSS vulnerability-severity scale. Out of the five vulnerabilities, CVE-2021-38452, CVE-2021-38460 and CVE-2021-38458 can be chained together to achieve remote code execution. The other two vulnerabilities, CVE-2021-38456 and CVE-2021-38454, can be used to lift passwords and other sensitive information. The vulnerabilities were patched in September 2021 after the release of version 3.2.4 but the severity of the flaws was not disclosed until recently.
MXview configures and monitors network devices in industrial control systems and in operational technology networks. There are multiple components to the software, including a MQTT message broker named Mosquito. The message broker transfers messages to and from the various components in the MXview environment. MQTT is where the vulnerabilities lie due to sensitive information (like credentials) being sent through the MQTT channels.
According to Bud Broomhead, (CEO at Viakoo) Moxa’s MXview is a significant software in the overall IoT market, but very few network management vendors focus on it. This means that the significance of the security bugs in MXview is high. Also, not all end users using the software will have the IT resources to quickly mitigate the vulnerabilities – making the high severity vulnerabilities extremely dangerous.
If an attacker is successful in the exploitation of the vulnerabilities, they will be able to create or overwrite critical files to execute code, obtain credentials, read and modify data, gain access to the program, and allow remote connections to internal communication channels. The vulnerabilities are as follows:
At this time, there are no known IoCs. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.