Full Report
Moxa says the flaws can be used to bypass user authentication, escalate privileges and gain root access to devices. The post Industrial networking manufacturer Moxa reports ‘critical’ router bugs appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Critical Hardcoded Credential and Command Injection Flaws in Moxa Industrial Routers
## CVE Details
- CVE ID: CVE-2024-9138, CVE-2024-9140
- CVSS Score: 8.6 (High) for CVE-2024-9138; 9.8 (Critical) for CVE-2024-9140
- CWE: [Not explicitly stated, but relevant CWEs are likely Hardcoded Credentials (CWE-798) and OS Command Injection (CWE-78)]
## Affected Systems
- Products: Various Moxa Cellular Routers, Secure Routers, and Network Security Appliances.
- Versions: Specific vulnerable firmware versions for the listed product series (refer to official advisory for complete matrix).
- Configurations:
- CVE-2024-9138 requires user authentication.
- CVE-2024-9140 can be exploited remotely by an unauthenticated user.
## Vulnerability Description
Moxa identified two high-severity vulnerabilities in its ICS networking equipment:
1. **CVE-2024-9138 (Hardcoded Credentials/Privilege Escalation):** This flaw leverages hardcoded, privileged credentials present in the firmware of 10 different Moxa products. An authenticated attacker can use these credentials to gain root access to the device.
2. **CVE-2024-9140 (OS Command Injection):** This flaw exists in the firmware of 7 Moxa products. It allows an unauthenticated remote attacker to use specially crafted characters to bypass input restrictions, leading to OS command injection and arbitrary command execution on the underlying operating system.
## Exploitation
- Status: Exploitation in the wild is not explicitly confirmed, but the vendor states immediate action is strongly recommended due to the high risk posed by the critical nature of the flaws.
- Complexity: Low (for CVE-2024-9140 as it is unauthenticated remote RCE).
- Attack Vector: Network (Remote, for CVE-2024-9140); Likely Network/Local (for CVE-2024-9138 after initial authentication).
## Impact
- Confidentiality: High (Potential for full system data access via root compromise).
- Integrity: High (Ability to execute arbitrary commands/OS injection).
- Availability: High (Potential for disruption or denial of service via command execution).
## Remediation
### Patches
Moxa has developed software patches for many affected products. Users should consult the official security advisory for the specific patch version corresponding to their model.
*Note: Some products like NAT-102 Series, OnCell G4302-LTE4 Series, and TN-4900 Series may require contacting Moxa directly for technical support or updated firmware.*
### Workarounds
If immediate patching is not possible:
1. Minimize network exposure of affected devices.
2. Ensure affected devices are *not* directly connected to the internet.
3. Limit SSH access strictly to trusted IP addresses.
4. Implement intrusion detection systems (IDS) to monitor for traffic attempting to exploit these vulnerabilities.
## Detection
- Indicators of Compromise (IOCs): Presence of unauthorized root-level logins or execution of system commands not originating from legitimate configuration management tasks.
- Detection methods and tools: Enhanced monitoring of network traffic leading to affected industrial devices, specifically looking for input strings that contain command sequences or special characters indicative of OS command injection attempts.
## References
- Vendor Advisory: moxa com/en/support/product-support/security-advisory/mpsa-241155-privilege-escalation-and-os-command-injection-vulnerabilities-in-cellular-routers,-secure-routers,-and-netwo (Defanged)
- NVD for CVE-2024-9138
- NVD for CVE-2024-9140