Moxa MXsecurity Series Multiple Vulnerabilities

Plan Patch9.8MPSA-230403Sep 1, 2023

Summary

Moxa MXsecurity Series contains multiple critical authentication and input validation vulnerabilities across all versions: 1. CVE-2023-39979: Small space of random values allows attackers to bypass authentication entirely and gain unauthorized access without credentials (CVSS 9.8). 2. CVE-2023-39980: SQL injection in the device allows authenticated attackers to modify SQL commands and disclose sensitive information (CVSS 7.1). 3. CVE-2023-39981: Improper authentication implementation allows unauthenticated attackers to disclose device information and configuration details (CVSS 7.5). 4. CVE-2023-39982: Hard-coded credentials in the device enable attackers to decrypt SSH traffic and facilitate man-in-the-middle attacks (CVSS 7.5). 5. CVE-2023-39983: Improper control of object attributes allows attackers to register or add unauthorized devices via the nsm-web application (CVSS 5.3). All vulnerabilities are network-exploitable with no patch available from Moxa.

What this means

What could happen

An attacker could bypass authentication on the MXsecurity device and gain unauthorized access to control functions, sensitive configuration data, and decrypt encrypted traffic. This could allow an attacker to alter device settings, add unauthorized devices to the network, or intercept administrative communications.

Who's at risk

Transportation industry operators using Moxa MXsecurity Series for network security management, device monitoring, or SSH access control. This includes utility operators using MXsecurity for securing remote terminal units (RTUs), programmable logic controllers (PLCs), or other field devices in transportation networks. Any organization relying on MXsecurity for authentication or encryption of industrial control communications should be considered affected.

How it could be exploited

An attacker on the network can exploit CVE-2023-39979 or CVE-2023-39981 to bypass authentication without credentials and access the management interface. Once authenticated, they could use CVE-2023-39980 (SQL injection) to extract sensitive data or use CVE-2023-39982 (hard-coded credentials) to decrypt SSH communications. CVE-2023-39983 allows attackers to register malicious devices into the system management application.

Prerequisites

Network reachability to the MXsecurity device management interface (default ports: web interface, SSH)
CVE-2023-39979 and CVE-2023-39981 require no authentication; others require initial access via one of the authentication bypass vulnerabilities

remotely exploitableno authentication required (CVE-2023-39979, CVE-2023-39981, CVE-2023-39983)low complexityaffects network management and security infrastructureno patch availablehard-coded credentials presentcritical CVSS score (9.8)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

MXsecurity Series Multiple VulnerabilitiesAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/4

HARDENINGImplement network segmentation: isolate the MXsecurity management interface behind a firewall that restricts network access to trusted engineering workstations only. Block all inbound connections from untrusted or unknown networks.

WORKAROUNDDisable or restrict the nsm-web application if not actively required for operations. If required, restrict web interface access to specific IP addresses and apply strict firewall rules.

WORKAROUNDMonitor for unauthorized device registrations in the nsm-web application and audit the device list regularly for unknown or suspicious entries.

HARDENINGEstablish a network monitoring program to detect unexpected connections to the MXsecurity device and SSH traffic, especially from external or unusual sources.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXIf possible, replace the MXsecurity Series with an alternative network security solution that has current vendor support and security patches. Contact Moxa to request an alternative product or migration path.

Mitigations - no patch available

0/1

MXsecurity Series Multiple Vulnerabilities has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGDocument all hard-coded credentials in the MXsecurity device and ensure they are never used for authentication in external-facing systems or trusted networks.

CVEs (5)

CVE-2023-39979 CVE-2023-39980 CVE-2023-39981 CVE-2023-39982 CVE-2023-39983

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/de4e7e86-64d7-4170-8088-0f6d9e47db7d