Full Report
Moxa’s cellular management software OnCell Central Manager Version lower than 2.4.1 was affected to Remote Code Execution due to vulnerable third-party component usage (Apache Flex BlazeDS).
Analysis Summary
# Vulnerability: Remote Code Execution in Moxa OnCell Central Manager via Apache Flex BlazeDS
## CVE Details
- **CVE ID:** CVE-2017-5641
- **CVSS Score:** 9.8 (Critical) [Note: The source text mentions a CVSS v3.1 vector equivalent to 9.8, despite a typo in the numeric summary field]
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** Moxa OnCell Central Manager
- **Versions:** All versions lower than 2.4.1
- **Configurations:** Systems utilizing the integrated Apache Flex BlazeDS library for AMF (Action Message Format) processing.
## Vulnerability Description
The vulnerability exists due to the use of a legacy version of the **Apache Flex BlazeDS** third-party library. The software fails to properly validate or restrict the types of objects being deserialized when processing AMF3 messages. An unauthenticated remote attacker can exploit this by sending a specially crafted serialized Java object, leading to insecure deserialization and arbitrary code execution (RCE) in the context of the application.
## Exploitation
- **Status:** PoC Available (Publicly known for the BlazeDS component)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
- **Update to Version 2.4.1 or higher:** Moxa has migrated the internal library to Apache Flex BlazeDS version 4.7.3, which contains the fix for this vulnerability.
- **Action:** Users should contact Moxa Technical Support to obtain the specific security patch or updated installer.
### Workarounds
- No specific software workarounds were provided. It is recommended to restrict network access to the OnCell Central Manager interface to trusted IP addresses only until the patch is applied.
## Detection
- **Indicators of Compromise:** Monitor for unusual network traffic consisting of AMF (Action Message Format) binary data directed at the management software ports.
- **Detection methods and tools:**
- Utilize IDS/IPS signatures specifically designed to detect CVE-2017-5641 (BlazeDS AMF Deserialization).
- Review application logs for unexpected Java exception errors related to object deserialization.
## References
- **Kaspersky Advisory:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2020/03/16/klcert-20-001-remote-code-execution-on-moxas-cellular-management-software-oncell-central-manager-version-lower-than-2-4-1/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2017-5641
- **Vendor Support:** hxxps[://]www[.]moxa[.]com/en/support