Full Report
Broken access control in Moxa ThingsPro IIoT Gateway and Device Management Software.
Analysis Summary
# Vulnerability: Moxa ThingsPro Broken Access Control Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2018-18392
- **CVSS Score:** 8.8 (High) - *Note: Based on the provided vector [AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H]*
- **CWE:** CWE-284 (Improper Access Control)
## Affected Systems
- **Products:** Moxa ThingsPro IIoT Gateway and Device Management Software
- **Versions:** ThingsPro Gateway Edition v2.1 and potentially intermediate versions prior to 2.3.
- **Configurations:** Systems utilizing the web-based management interface.
## Vulnerability Description
A broken access control vulnerability exists in the Moxa ThingsPro software suite. The flaw allows an authenticated user with low-level privileges (PR:L) to bypass intended security restrictions. Due to insufficient verification of user permissions within the application logic, an attacker can perform actions or access resources that should be restricted to administrative accounts.
## Exploitation
- **Status:** Unknown (No public PoC or active exploitation in the wild reported in the advisory).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to system data and configuration)
- **Integrity:** High (Ability to modify gateway settings and software)
- **Availability:** High (Potential to disrupt gateway operations or take the device offline)
## Remediation
### Patches
- **ThingsPro Gateway Edition 2.3:** Moxa has released a firmware update (v2.3) that addresses this vulnerability.
### Workarounds
- The advisory does not list specific manual workarounds. Users are encouraged to contact their Moxa sales representative or technical support to obtain the updated firmware.
- General best practices: Restrict access to the management interface to trusted networks only and implement the principle of least privilege for all user accounts.
## Detection
- **Indicators of Compromise:** Monitor system logs for administrative configuration changes or firmware updates initiated by non-admin user accounts.
- **Detection methods and tools:** Audit user roles and permissions within the ThingsPro dashboard to ensure no unauthorized accounts have gained elevated access.
## References
- **Vendor Advisory:** hxxps[://]www[.]moxa[.]com/
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/10/18/klcert-18-020-moxa-thingspro-iiot-gateway-and-device-management-software-solutions-broken-access-control/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-18392