Full Report
The security of products such as IIoT requires special attention. This time, the subject of our research was the ThingsPro Suite, an IIoT gateway and device manager from Moxa.
Analysis Summary
Based on the security research conducted by Kaspersky ICS CERT regarding the Moxa ThingsPro Suite, here is the summarized vulnerability information.
# Vulnerability: Multiple Critical Flaws in Moxa ThingsPro Suite
## CVE Details
*Note: This research uncovered a chain of vulnerabilities, primarily focused on the two most critical entries below.*
- **CVE ID:** CVE-2018-19067
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-78 (OS Command Injection)
- **CVE ID:** CVE-2018-19068
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication)
## Affected Systems
- **Products:** Moxa ThingsPro Suite (IIoT Gateway and Device Management platform)
- **Versions:** Versions prior to v2.3.0
- **Configurations:** Systems where the web-based management interface is accessible via the network.
## Vulnerability Description
The research identified a total of 7 vulnerabilities that can be chained to gain full root access to the IIoT gateway:
1. **Broken Authentication (CVE-2018-19068):** The REST API failed to properly validate sessions, allowing an attacker to bypass authentication and gain access to administrative functions.
2. **Command Injection (CVE-2018-19067):** Several API endpoints used for system configuration (such as networking or disk management) failed to sanitize user input. An attacker could inject shell commands (e.g., via `;` or `|`) that would be executed with **root privileges**.
3. **Privilege Escalation:** Weaknesses in how service tasks were handled allowed low-privileged users to escalate to system-level access.
## Exploitation
- **Status:** PoC developed by researchers; no known active exploitation in the wild at the time of publication.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Total access to device data and credentials)
- **Integrity:** High (Ability to modify gateway configurations and firmware)
- **Availability:** High (Ability to brick the device or stop industrial data flows)
## Remediation
### Patches
- **ThingsPro Suite v2.3.0:** Moxa released this version specifically to address the vulnerabilities identified in the Kaspersky report. Users should upgrade to v2.3.0 or higher immediately.
- **ThingsPro Suite v2.5.0:** Additional hardening was introduced in subsequent releases.
### Workarounds
- **Network Segmentation:** Isolate the IIoT gateway management interface from the public internet and untrusted internal networks.
- **Access Control:** Use a VPN for remote management access and restrict access to the web interface to specific authorized IP addresses.
## Detection
- **Indicators of Compromise:** Unusual web server logs showing requests with shell metacharacters (`;`, `&`, `$()`, `` ` ``) directed at API endpoints.
- **Detection methods:** Monitor for unauthorized modifications to the `/etc/shadow` file or the presence of unexpected cron jobs/scripts in the `/home/` directories.
- **Tools:** Industrial-focused IDS (Intrusion Detection Systems) with signatures for Moxa API patterns.
## References
- **Vendor Advisory:** hxxps[://]www[.]moxa[.]com/en/support/product-support/security-advisories
- **Kaspersky ICS CERT Report:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2019/01/22/security-research-thingspro-suite-iiot-gateway-and-device-manager-by-moxa/
- **CISA Advisory (ICSA-18-354-01):** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-18-354-01