Moxa Active OPC Server Unquoted Service Path Escalation Vulnerability

Plan Patch8.8ICS-CERT ICSA-16-264-01Jun 24, 2016

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Moxa Active OPC Server versions prior to 2.4.19 contain an unquoted service path vulnerability in the service executable path. A local user with write access to directories in the service path can place a malicious executable that will be executed with SYSTEM privileges when the service starts, leading to local privilege escalation. The vulnerability allows an attacker to gain SYSTEM-level access to the OPC server system.

What this means

What could happen

A user with local access to the system can exploit an unquoted service path to escalate privileges to SYSTEM level, potentially allowing them to modify industrial device settings or interfere with monitoring systems depending on what the OPC server controls.

Who's at risk

This affects any organization using Moxa Active OPC Server (version prior to 2.4.19) in their industrial monitoring or SCADA infrastructure. OPC servers are commonly used in water treatment plants, power distribution systems, manufacturing facilities, and other critical infrastructure to collect data from PLCs, RTUs, and other field devices. Any operator in these environments should ensure their OPC server is patched.

How it could be exploited

An attacker with local user access could create a malicious executable in a directory along the unquoted service path before Windows loads the Moxa OPC server service. When the service starts, Windows will execute the attacker's file instead of the legitimate OPC server, giving the attacker SYSTEM privileges.

Prerequisites

Local user access to the Windows system where OPC server is running
Ability to write files to a directory in the unquoted service path (typically C:\Program Files or C:\Program Files (x86) directories)
Ability to restart the OPC server service or trigger a system restart

Unquoted service path weaknessLocal privilege escalationAffects OT monitoring systemsLow complexity exploit

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Active OPC Server: <2.4.19<2.4.192.4.19

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGApply Windows NTFS permissions to Program Files directories to prevent unprivileged users from creating files

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Moxa Active OPC Server to version 2.4.19 or later

Long-term hardening

0/2

HARDENINGRestrict local user access to systems running OPC server; limit which user accounts can log in locally

HARDENINGImplement principle of least privilege—run OPC server under a dedicated service account with minimal necessary permissions

CVEs (1)

CVE-2016-5793

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5834f3df-e391-4828-91d7-ce48c95587aa