Moxa’s MXview is a web-based network management system designed for monitoring and managing Moxa-based devices. MXview is made up of several components, including a NodeJS web server, a backend process called MXview Core that monitors all managed computers, a Postgres database, and a MQTT message broker that transfers messages to and from different components in the MXview environment.
Team82’s investigation into MXview uncovered five vulnerabilities in the platform that could allow a remote, unauthenticated attacker to execute code with the highest privileges available on the hosting machine: THE NT AUTHORITY SYSTEM.
Different processes and tasks communicate as part of MXview’s business logic by sending and receiving messages via a MQTT broker called Mosquitto. MQTT is a Pub/Sub (publisher/subscriber) protocol that enables asynchronous remote communication. The MQTT protocol consists of two entities: a client that sends and receives messages, and a broker that routes messages to the appropriate clients.
The dealer maintains a list of topics or channels, through which publishers can send messages in order to distribute them to the appropriate clients. A client must subscribe to a topic in order to receive messages. When a message is sent to a specific topic, the broker distributes it to all users who have subscribed to that topic.
The United States Cybersecurity and Infrastructure Security Agency (CISA) stated that ,” Successful exploitation of these vulnerabilities may allow an attacker to create or overwrite critical files to execute code, gain access to the programme, obtain credentials, disable the software, read and modify otherwise inaccessible data, allow remote connections to internal communication channels, or interact and use MQTT remotely.”
The list of flaws is as follows —
- CVE-2021-38452 (CVSS score: 7.5) – A path traversal vulnerability in the application, allowing the access or overwrite of critical files used to execute code
- CVE-2021-38454 (CVSS score: 10.0) – A misconfigured service that allows remote connections to MQTT, making it possible to remotely interact and use the communication channel
- CVE-2021-38456 (CVSS score: 9.8) – Use of hard-coded passwords
- CVE-2021-38458 (CVSS score: 9.8) – An issue with improper neutralization of special elements that could lead to remote execution of unauthorized commands
- CVE-2021-38460 (CVSS score: 7.5) – A case of password leakage that may allow an attacker to obtain credentials
Claroty devised a hypothetical attack scenario in which CVE-2021-38452 could be used to obtain the plain-text MQTT password by reading the configuration file gateway-upper.ini, followed by leveraging CVE-2021-38454 to inject rogue MQTT messages, triggering code execution on the server via command injection.
Finally the researchers concluded that ,” Through the OS command injection vulnerability, an attacker injects malicious messages directly to the MQTT broker, bypassing all input validation performed by the server, and achieves arbitrary remote code execution.