OTPulse
FeedAboutContact

Moxa MXsecurity Command Injection and Hardcoded Credential Vulnerabilities

Low Risk2mxsecurity-command-injection-and-hardcoded-credential-vulnerabilitiesMay 29, 2023
Summary

Two vulnerabilities reported in Moxa MXsecurity affecting SSH CLI and web-based APIs: 1. CVE-2023-33235 (ZDI-CAN-19895) - Command Injection in SSH CLI program. An attacker with authorization privileges can break out of the restricted shell and execute arbitrary commands on the device. 2. CVE-2023-33236 (ZDI-CAN-19896) - Hardcoded credentials in JWT token generation. An attacker can craft arbitrary JWT tokens to bypass authentication for web-based APIs.

What this means
What could happen
An authorized SSH user could escape shell restrictions and run arbitrary commands on the MXsecurity device, potentially altering security configurations or disabling protections. Additionally, an attacker could bypass API authentication using hardcoded credentials, gaining unauthorized access to management functions.
Who's at risk
Moxa MXsecurity is used by industrial facilities and utilities for security appliance and network defense. Affected operators managing MXsecurity devices in environments requiring restricted shell access or protecting industrial control system networks should prioritize assessment and containment.
How it could be exploited
For CVE-2023-33235: An attacker with valid SSH credentials connects to the CLI, injects special characters into commands to break out of the restricted shell environment, and executes arbitrary system commands. For CVE-2023-33236: An attacker uses hardcoded credentials embedded in the device to forge valid JWT tokens without needing legitimate credentials, then uses these tokens to authenticate to web-based APIs.
Prerequisites
  • Valid SSH credentials for CLI access (CVE-2023-33235)
  • Network access to SSH port (22 or configured SSH port)
  • Knowledge of hardcoded credential values or JWT token structure (CVE-2023-33236)
  • Network access to web API endpoints (CVE-2023-33236)
No patch availableRequires valid credentials for primary exploitation path (CVE-2023-33235)Hardcoded credentials expose API authentication bypassAffects security appliance itself
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (1)
ProductAffected VersionsFix Status
MXsecurity Command Injection and Hardcoded Credential VulnerabilitiesAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDRestrict SSH access to MXsecurity management interfaces using firewall rules and network segmentation; limit connectivity to authorized administrative networks only
WORKAROUNDDisable or restrict web-based API access if not required for operations; use network-based access controls to limit API endpoint exposure
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGReview and audit all SSH user accounts and API access logs for suspicious command execution or authentication patterns
HARDENINGImplement additional authentication mechanisms (such as certificate-based SSH or multi-factor authentication) where supported
Mitigations - no patch available
0/1
MXsecurity Command Injection and Hardcoded Credential Vulnerabilities has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGMonitor MXsecurity for vendor security updates and prepare to apply patches immediately upon availability
View full Moxa Security advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/386159ab-c19d-4837-8a6a-93ed1844b9e9
Moxa MXsecurity Command Injection and Hardcoded Credential Vulnerabilities | CVSS 2 - OTPulse