How to find Moxa MXview instances

Updated

Latest Moxa MXview vulnerability #

Security researchers with Claroty's Team82 recently published findings of five discovered vulnerabilities in Moxa's MXview software. Focused on "industrial network management", MXview enables management of deployed Operational Technologies (OT) and Industrial Control Systems (ICS) endpoints.

Which versions of MXview are affected? #

These published vulnerabilities reside in the MQTT messaging component of MXview and can be leveraged (and chained together) by an unauthenticated attacker to ultimately gain filesystem access to data (including credentials) or achieve remote code execution on vulnerable systems:

  • CVE-2021-38452 (CVSS "critical" score of 9.1) - path traversal vulnerability, may allow an attacker to create or overwrite critical files used to execute code
  • CVE-2021-38454 (CVSS "critical" score of 10.0) - path traversal vulnerability, may allow an attacker to create or overwrite critical files used to execute code
  • CVE-2021-38456 (CVSS "critical" score of 9.8) - hard-coded password vulnerability, may allow an attacker to gain access through accounts using default passwords
  • CVE-2021-38458 (CVSS "critical" score of 9.8) - path traversal vulnerability, may allow an attacker to create or overwrite critical files used to execute code
  • CVE-2021-38460 (CVSS "high" score of 7.5) - path traversal vulnerability, may allow an attacker to create or overwrite critical files used to execute code

These vulnerabilities affect MXview versions 3.x to 3.2.2 and were disclosed to Moxa last September (and fixed at that time; associated ICS Advisory here).

An additional two MXview vulnerabilities, discovered by Patrick DeSantis of Cisco's Talos group, were disclosed last October. These affect all MXview versions up through (and including) 3.2.4, and involve hard-coded credentials and cleartext transmission of sensitive data:

  • CVE-2021-40390 (CVSS "critical" score of 10.0) - authentication bypass vulnerability, can lead to unauthorized access
  • CVE-2021-40392 (CVSS "medium" score of 5.3) - information disclosure vulnerability, can lead to disclosure of sensitive information via network sniffing

Given the severity of these vulnerabilities (including what can be accomplished via chaining) and the appeal of systems bridging network technologies, vulnerable targets may be of high interest to attackers.

Is an update available? #

Yes. Moxa has addressed all of the above vulnerabilities and strongly encourages folks who are running MXview to upgrade to version 3.2.6 or later.

How do I find potentially vulnerable Moxa MXview instances with runZero? #

From the Service Inventory, use the following pre-built query to locate Moxa MXview assets within your network that are potentially vulnerable:

_asset.protocol:http and protocol:http and (html.title:"mxview" or last.html.title:"mxview")
Find Moxa MXview instances

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Try runZero #

Don't have runZero and need help finding potentially vulnerable MXview instances? Start your runZero trial today.

Written by Pearce Barry

More about Pearce Barry
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Rapid Response
How to find Palo Alto Network firewalls running PAN-OS 11.1, 11.0, and 10.2
Palo Alto Networks disclosed that versions of their PAN-OS software have a vulnerability allowing for remote command injection. Here's how to find...
Rapid Response
How to find outdated lighttpd services
Outdated versions of the open source lighttpd web server are vulnerable to a handful of security vulnerabilities
Rapid Response
How to find D-Link NAS Storage devices
D-Link has disclosed multiple vulnerabilities in their D-Link NAS Storage products. Here's how to find potentially impacted devices.
Rapid Response
How to find Brocade Fabric OS
On April 4, 2024, Broadcom disclosed a vulnerability in their Fabric OS operating system used in their Brocade storage networking devices. Here's...

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved