Finding Moxa MXview instances
Security researchers with Claroty’s Team82 recently published findings of five discovered vulnerabilities in Moxa’s MXview software. Focused on “industrial network management”, MXview enables management of deployed Operational Technologies (OT) and Industrial Control Systems (ICS) endpoints.
Which versions of MXview are affected? #
These published vulnerabilities reside in the MQTT messaging component of MXview and can be leveraged (and chained together) by an unauthenticated attacker to ultimately gain filesystem access to data (including credentials) or achieve remote code execution on vulnerable systems:
- CVE-2021-38452 (CVSS “critical” score of 9.1) - path traversal vulnerability, may allow an attacker to create or overwrite critical files used to execute code
- CVE-2021-38454 (CVSS “critical” score of 10.0) - path traversal vulnerability, may allow an attacker to create or overwrite critical files used to execute code
- CVE-2021-38456 (CVSS “critical” score of 9.8) - hard-coded password vulnerability, may allow an attacker to gain access through accounts using default passwords
- CVE-2021-38458 (CVSS “critical” score of 9.8) - path traversal vulnerability, may allow an attacker to create or overwrite critical files used to execute code
- CVE-2021-38460 (CVSS “high” score of 7.5) - path traversal vulnerability, may allow an attacker to create or overwrite critical files used to execute code
An additional two MXview vulnerabilities, discovered by Patrick DeSantis of Cisco’s Talos group, were disclosed last October. These affect all MXview versions up through (and including) 3.2.4, and involve hard-coded credentials and cleartext transmission of sensitive data:
- CVE-2021-40390 (CVSS “critical” score of 10.0) - authentication bypass vulnerability, can lead to unauthorized access
- CVE-2021-40392 (CVSS “medium” score of 5.3) - information disclosure vulnerability, can lead to disclosure of sensitive information via network sniffing
Given the severity of these vulnerabilities (including what can be accomplished via chaining) and the appeal of systems bridging network technologies, vulnerable targets may be of high interest to attackers.
Is an update available? #
Yes. Moxa has addressed all of the above vulnerabilities and strongly encourages folks who are running MXview to upgrade to version 3.2.6 or later.
How do I find potentially vulnerable Moxa MXview instances with runZero? #
_asset.protocol:http and protocol:http and (html.title:"mxview" or last.html.title:"mxview")
Try runZero #
Don’t have runZero and need help finding potentially vulnerable MXview instances? Start your runZero trial today.
September 26, 2023
How to find TeamCity instances
How to find TeamCity assets? # On September 20th, JetBrains announced a critical authentication bypass vulnerability that impacts users running the TeamCity On-Premises product. The vulnerability is being tracked using CVE-2023-42793 and presents the weakness of CWE-288 …Read More
September 12, 2023
How to find OpenSSL 1.1 instances
How to find OpenSSL 1.1 instances # On September 11th, the venerable OpenSSL 1.1.1 reached its end of life date. That means that it will no longer be receiving publicly-available security fixes. Users without a third-party extended support contract will no longer receive …Read More
July 31, 2023
How to find Ivanti EPMM (MobileIron Core)
How to find Ivanti Endpoint Manager Mobile (EPMM) with runZero # On July 24th, Ivanti announced that their Endpoint Manager Mobile (EPMM, formerly MobileIron Core) product versions 11.10 and prior contain a critical authentication bypass vulnerability. Successfully …Read More