Claroty identifies five vulnerabilities in Moxa's MXview software

Claroty’s Team82 cybersecurity team has identified five vulnerabilities in Moxa’s MXview web-based network management system.

Collectively, ICS-CERT has scored these vulnerabilities a 10.0, its highest criticality score (see ICS-CERT’s advisory here). An unauthenticated attacker successfully chaining two or more of these vulnerabilities could achieve remote code execution on any unpatched MXview server.

MXview network management software versions 3.x to 3.2.2 are affected and Moxa recommends users upgrade MXview to version 3.2.4 or higher to remediate these vulnerabilities.

Moxa’s MXview is a web-based network management system designed for monitoring and managing Moxa-based devices. MXview consists of multiple components: a web server written in NodeJS, a backend process that monitors all managed computers called MXview Core, a Postgres database and an MQTT message broker that transfers messages to and from different components in the MXview environment.

Team82’s research into MXview uncovered five vulnerabilities in the MXview platform that could allow a remote, unauthenticated attacker to execute code on the hosting machine with the highest Windows privileges available: NT AUTHORITY\SYSTEM.

As part of MXview’s business logic, different processes and tasks communicate by sending and receiving messages using an MQTT broker named Mosquitto.

MQTT is a publisher/subscriber protocol aimed at allowing remote asynchronous communication. Two entities reside in the MQTT protocol: a client that sends and receives messages and a broker that routes messages to the appropriate clients.

In order to distribute messages to the correct clients, the broker holds a list of topics, or channels, where publishers could send messages. In order for a client to receive messages, it must subscribe to a topic. Whenever a message is sent to a specific topic, the broker distributes it to all subscribed users.

Behind the scenes, the MXview software distributes most of its IPC/RPC messages through the MQTT server and registers many callbacks to certain topics. In addition, most of the MXview APIs are using the MQTT protocol in order to receive and handle requests.

Sensitive information, such as credentials, are sent through the MQTT channels, and many callbacks are registered to perform certain actions whenever a message is sent. Thus, accessing the MQTT via these vulnerabilities will allow a malicious actor to exfiltrate sensitive data and abuse other vulnerabilities to execute remote commands.

Team82’s research

Team 82 disclosed five vulnerabilities (CVE-2021-38452, CVE-2021-38456, CVE-2021-38460, CVE-2021-38458 and CVE-2021-38454) in the MXview platform.

All disclosed vulnerabilities have since been patched by Moxa, and users should upgrade their systems, as described above.

In particular, the vulnerabilities allow firstly an information leak by which MQTT credentials can be gained, allowing path traversal and MQTT message injection.

Team82 identified a file-read vulnerability that allows an unauthenticated attacker to read any file on the target operating system. Most of MXview’s web routes require a user to be authenticated; however, there is a specific route that does not, and Team82 managed to identify a vulnerability allowing a malicious actor to read any file.

This lack of validation allows a user to supply path-traversal characters that fetch arbitrary files. Furthermore, since many passwords and configurations are saved on the disk as clear-text, a malicious user could use this unauthenticated file-read primitive to retrieve secret passwords and configurations (ie, the password to the MQTT broker).

Team82 also identified a remote code execution vulnerability, allowing any user with access to the MQTT broker (and as described above, in most cases this access is enabled by default without requiring the attacker to know a secret password) to execute arbitrary code in the highest Windows privileges possible: NT AUTHORITY/SYSTEM.

It was also discovered that an MXView feature that allows users to add custom icons can be abused by MQTT injection, allowing the creation of arbitrary files on the host server’s file system.

A more detailed description with proof-of-concept intrusions can be found here.

Image: ©stock.adobe.com/au/sasun Bughdaryan