Moxa Multiple Moxa Product Series Affected by CVE-2024-6387

Act NowCVSS 8.8MPSA-246387Aug 2, 2024

Moxa

Summary

Moxa uct devices are affected by CVE-2024-6387, a remote code execution vulnerability in OpenSSH. A race condition in the OpenSSH server's SIGALRM signal handler allows unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability occurs when an SSH client fails to authenticate within the LoginGraceTime period (default 120 seconds). The signal handler calls unsafe functions like syslog() in an asynchronous context, which can be exploited to achieve code execution. No firmware patch is available for affected Moxa uct devices.

What this means

What could happen

An attacker on the network can execute commands with root privileges on Moxa uct devices without authentication, potentially taking control of the device and disrupting critical infrastructure operations.

Who's at risk

This affects organizations using Moxa uct devices (industrial cellular gateways, secure routers, or other network edge devices). Water authorities and utility companies that rely on Moxa devices for remote site management, SCADA communications, or network access are at risk. The vulnerability is particularly concerning for devices that are internet-accessible or reachable from untrusted networks.

How it could be exploited

An attacker connects to SSH (port 22) on a vulnerable Moxa uct device and causes authentication to fail. They exploit a race condition in the OpenSSH signal handler that runs during the LoginGraceTime timeout period. By triggering unsafe syslog() calls in the asynchronous signal handler, the attacker can inject code that executes with root privileges on the device.

Prerequisites

Network access to SSH port 22 on the Moxa uct device
Ability to trigger failed SSH authentication within LoginGraceTime window (default 120 seconds)

Remotely exploitableNo authentication requiredHigh EPSS score (57.6%)No patch availableAffects industrial network infrastructure

Exploitability

Likely to be exploited — EPSS score 48.1%

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (1)

ProductAffected VersionsFix Status

uctAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDIsolate Moxa uct devices from untrusted networks using firewall rules that restrict SSH access (port 22) to trusted engineering workstations only

HARDENINGDisable SSH access on Moxa uct devices if remote management is not required

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor SSH login attempts and failures on Moxa uct devices for signs of exploitation attempts

Mitigations - no patch available

0/1

uct has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to ensure Moxa uct devices are on a restricted OT network not directly reachable from general corporate networks

CVEs (1)

CVE-2024-6387

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a6f869a4-0643-4897-b3ed-fa10608c0a91

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.