Technical details have been disclosed regarding a number of security vulnerabilities affecting Moxa’s MXview web-based network management system, some of which could be chained by an unauthenticated adversary to achieve remote code execution on unpatched servers.
The five security weaknesses “could allow a remote, unauthenticated attacker to execute code on the hosting machine with the highest privileges available: NT AUTHORITY\SYSTEM,” Claroty security researcher Noam Moshe said in a report published this week.
Moxa MXview is designed for configuring, monitoring, and diagnosing networking devices in industrial networks. The flaws, which affect versions 3.x to 3.2.2 of the network management software, were rectified in version 3.2.4 or higher following a coordinated disclosure process in October 2021.
“Successful exploitation of these vulnerabilities may allow an attacker to create or overwrite critical files to execute code, gain access to the program, obtain credentials, disable the software, read and modify otherwise inaccessible data, allow remote connections to internal communication channels, or interact and use MQTT remotely,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory.
MQTT refers to a messaging protocol that facilitates remote asynchronous communication, enabling the transfer of messages to and from different components in an MXview environment.
The list of flaws is as follows —
- CVE-2021-38452 (CVSS score: 7.5) – A path traversal vulnerability in the application, allowing the access or overwrite of critical files used to execute code
- CVE-2021-38454 (CVSS score: 10.0) – A misconfigured service that allows remote connections to MQTT, making it possible to remotely interact and use the communication channel
- CVE-2021-38456 (CVSS score: 9.8) – Use of hard-coded passwords
- CVE-2021-38458 (CVSS score: 9.8) – An issue with improper neutralization of special elements that could lead to remote execution of unauthorized commands
- CVE-2021-38460 (CVSS score: 7.5) – A case of password leakage that may allow an attacker to obtain credentials
Three of the aforementioned flaws — CVE-2021-38452, CVE-2021-38454, and CVE-2021-38458, could be strung together to achieve pre-authenticated remote code execution on vulnerable MXView instances with SYSTEM privileges.
In a hypothetical attack scenario devised by Claroty, CVE-2021-38452 could be abused to get hold of the plain-text MQTT password by reading the configuration file gateway-upper.ini, followed by leveraging CVE-2021-38454 to inject rogue MQTT messages, triggering code execution through command injection on the server.
“An attacker injects malicious messages to the MQTT broker directly, bypassing all input validation performed by the server, and achieves arbitrary remote code execution through the OS command injection vulnerability,” Moshe explained.