Full Report
Remote Code Execution in Moxa ThingsPro IIoT Gateway and Device Management Software.
Analysis Summary
# Vulnerability: Remote Code Execution in Moxa ThingsPro IIoT Gateway
## CVE Details
- **CVE ID:** CVE-2018-18396
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command / Command Injection)
## Affected Systems
- **Products:** Moxa ThingsPro Gateway and Device Management Software
- **Versions:** ThingsPro v. 2.1
- **Configurations:** Default installations of the Gateway Edition software.
## Vulnerability Description
The vulnerability is a command string injection flaw. It allows an attacker to inject arbitrary OS commands into a string that is subsequently executed by the underlying system with high privileges. This typically occurs due to a lack of proper input validation or sanitization of parameters passed to system calls.
## Exploitation
- **Status:** Unknown (No public PoC or active exploitation reported in the source article)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to system data and files)
- **Integrity:** High (Ability to modify system configuration and operational logic)
- **Availability:** High (Potential to disable the gateway or disrupt IIoT communications)
## Remediation
### Patches
- **ThingsPro Gateway Edition 2.3:** Moxa has released a firmware update to address this vulnerability. Users are advised to upgrade to version 2.3 or later.
- **Note:** Users should contact their Moxa sales representative directly to obtain the specific firmware package for their device.
### Workarounds
- Ensure the IIoT Gateway is not exposed directly to the public internet.
- Implement strict firewall rules to restrict access to the device management interface to authorized IP addresses only.
- Use a VPN for remote management tasks.
## Detection
- **Indicators of Compromise:** Monitor for unusual outbound network traffic from the gateway or the creation of unexpected processes/shells in system logs.
- **Detection methods and tools:** Network Intrusion Detection Systems (NIDS) can be configured to look for common command injection patterns (e.g., `;`, `&&`, `|`) within management traffic directed at the ThingsPro interface.
## References
- **Vendor Advisory:** hxxps[://]www[.]moxa[.]com/en/support/product-support/security-advisories
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2018/10/18/klcert-18-024-moxa-thingspro-iiot-gateway-and-device-management-software-solutions-remote-code-execution/
- **NVD Entry:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-18396