Full Report
[Control Systems] Moxa security advisory (AV26-205)
Analysis Summary
# Vulnerability: Moxa Industrial Computer Intel BIOS and CSME/AMT Weaknesses
## CVE Details
*Note: This advisory references Intel Security Advisories which bundle multiple CVEs.*
- **CVE IDs:** Primarily associated with INTEL-SA-00813, INTEL-SA-00391, and INTEL-SA-00709 (includes CVE-2022-21216, CVE-2020-8752, CVE-2022-33894, among others).
- **CVSS Score:** Up to 9.8 (Critical) depending on the specific sub-vulnerability in INTEL-SA-00391.
- **CWE:** CWE-20 (Improper Input Validation), CWE-287 (Improper Authentication), CWE-119 (Memory Corruption).
## Affected Systems
- **Products:**
- DA Series Industrial Computers
- DA-682C Series Rackmount Computers
- DA-820C Series Rackmount Computers
- **Versions:**
- DA Series: All BIOS versions
- DA-682C Series: BIOS v1.5 and prior
- DA-820C Series: BIOS v1.2 and prior
- **Configurations:** Systems with Intel Active Management Technology (AMT) or Intel Converged Security Management Engine (CSME) enabled.
## Vulnerability Description
These vulnerabilities stem from downstream hardware/firmware flaws in Intel components used in Moxa industrial computing platforms:
1. **BIOS Firmware (INTEL-SA-00813):** Logic or input validation flaws that may lead to Denial of Service (DoS).
2. **CSME/AMT (INTEL-SA-00391 & INTEL-SA-00709):** Privilege escalation, information disclosure, or remote code execution flaws within the management engine. These often exist out-of-band, meaning they can affect the system regardless of the operating system state.
## Exploitation
- **Status:** Not exploited (No specific reports of wild exploitation for these Moxa-specific implementations at the time of advisory).
- **Complexity:** Medium to High (Hardware-level exploitation often requires specific environmental conditions).
- **Attack Vector:** Network (for AMT vulnerabilities) / Local (for BIOS/CSME escalation).
## Impact
- **Confidentiality:** High (Potential access to memory and sensitive system data).
- **Integrity:** High (Potential for unauthorized firmware modification).
- **Availability:** High (Risk of permanent or temporary Denial of Service/System hang).
## Remediation
### Patches
Users are urged to update to the following BIOS versions (or newer) provided by Moxa:
- **DA-682C Series:** Upgrade to BIOS v1.6 or later.
- **DA-820C Series:** Upgrade to BIOS v1.3 or later.
- **DA Series:** Consult Moxa support for specific model-based BIOS updates addressing INTEL-SA-00813.
### Workarounds
- **Disable AMT:** If Active Management Technology is not required for industrial operations, disable it within the BIOS settings.
- **Network Segmentation:** Place industrial computers behind firewalls and isolate management interfaces from the general corporate network.
## Detection
- **Indicators of compromise:** Unexpected system reboots, unauthorized changes to BIOS settings, or unusual traffic directed at ports 16992/16993 (AMT).
- **Detection methods and tools:** Use the Intel CSME Detection Tool to verify the vulnerability status of the underlying hardware.
## References
- **Moxa Security Advisories:**
- hxxps[://]www[.]moxa[.]com/en/support/product-support/security-advisory/mpsa-256821
- hxxps[://]www[.]moxa[.]com/en/support/product-support/security-advisory/mpsa-256822
- hxxps[://]www[.]moxa[.]com/en/support/product-support/security-advisory/mpsa-256823
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-moxa-security-advisory-av26-205