OTPulse

Moxa Moxa’s Response Regarding the CPU Hardware Vulnerability to Side-Channel Attacks (Meltdown & Spectre)

Act Nowmoxas-response-regarding-the-cpu-hardware-vulnerability-to-side-channel-attacks-Jan 16, 2018
Moxa
Summary

Moxa's response to CPU hardware vulnerabilities CVE-2017-5753 (Spectre), CVE-2017-5715 (Spectre variant 2), and CVE-2017-5754 (Meltdown) announced in January 2018. These are side-channel attacks on microprocessor speculative execution that could allow an attacker to read kernel memory or microprocessor information. Most Moxa products operate on closed systems and do not allow arbitrary code execution. Moxa devices using general-purpose computer platforms with vulnerable microprocessors may be indirectly affected. Vendor mitigation updates are available for microprocessor and operating system vendors; Moxa states it will release updates based on vendor guidance.

What this means
What could happen
If a Moxa device runs on a vulnerable processor and an attacker can execute code on it, sensitive kernel memory or system information could be exposed. For most closed-system Moxa devices, the risk is low because they do not permit arbitrary code execution.
Who's at risk
Moxa product users in water utilities, power distribution, manufacturing, and other industrial automation environments should review their device specifications. The risk is primarily for Moxa devices that run on general-purpose computer platforms (PCs, industrial PCs) rather than closed embedded systems. Devices in process control, RTUs, and network management roles could be affected if they expose kernel execution to attackers.
How it could be exploited
An attacker would need to first execute arbitrary code on a Moxa device (via another vulnerability, misconfiguration, or direct access). Once code execution is achieved, the attacker can run a side-channel attack to read kernel memory or processor state. Most Moxa products do not allow this initial code execution step because they run on closed systems without user code execution capabilities.
Prerequisites
  • Ability to execute arbitrary code on the target Moxa device
  • Device must run on a processor with Spectre/Meltdown vulnerability
  • Access to the device or a way to place malicious code on it
Low complexity exploitationRequires prior code executionAffects devices with vulnerable processorsHigh EPSS score (94.3%)Most Moxa products are closed systems that prevent code execution
Exploitability
Likely to be exploited — EPSS score 94.3%
Public Proof-of-Concept (PoC) on GitHub (10 repositories)
Affected products (1)
ProductAffected VersionsFix Status
Moxa’s Response Regarding the CPU Hardware Vulnerability to Side-Channel Attacks (Meltdown & Spectre)All versionsNo fix yet
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDDisable or restrict any user-accessible scripting, plugin, or code execution features on Moxa devices if available and not required for operations.
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXFor Moxa devices using general-purpose platforms, apply microprocessor firmware updates (BIOS/microcode) and operating system patches released by the hardware/OS vendor to mitigate Spectre and Meltdown.
HOTFIXMonitor Moxa's security advisories and vendor updates for device-specific patches. Contact Moxa support to determine if your specific devices require updates.
Long-term hardening
0/2
HARDENINGCheck which of your Moxa devices run on general-purpose computer platforms (IPC, industrial PCs) versus closed embedded systems. Document the processor type and operating system version for each.
HARDENINGImplement network segmentation to prevent untrusted users or systems from gaining code execution access to Moxa devices. Restrict SSH, RDP, and remote engineering access to engineering networks.
View full Moxa Security advisory
API: /api/v1/advisories/65f597de-7860-484c-b005-8c8bcfb0fc8d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Moxa Moxa’s Response Regarding the CPU Hardware Vulnerability to Side-Channel Attacks (Meltdown & Spectre) - OTPulse