Photographee.eu - Fotolia
Moxa Inc.'s MXview is often used by enterprises to visualize network devices and physical connections automatically. A vulnerability was recently found in some MXview versions that could enable privilege escalation. What is this vulnerability, and how can Moxa MXview be abused?
The unquoted service path vulnerability was found in MXview 2.8 and earlier versions, and it enables a local user to escalate privileges by inserting arbitrary code in a service path that is not enclosed with quotes. The unquoted service path may contain spaces -- for instance, D:\2012455 4562 56. To execute the arbitrary code, the service must be enabled before it can be restarted.
Moxa MXview can be abused in several different ways, including:
- The user could configure, monitor and diagnose new network devices in the enterprise's industrial devices and Simple Network Management Protocol/IP devices installed on subnets. These devices include industrial wireless devices, industrial secure routers, industrial Ethernet gateways and Ethernet remote I/Os.
- The user could manually look through the services via the command window to find other paths that are unquoted. This could alter the service path, appearance of the dashboard, file names, data in files, the placement of files into a subdirector, and some menu items could even be added or deleted.
- The backup of the MXview database could be rescheduled and possibly rerouted to the user's server, where the user could then alter the files in the database before sending them back to the MXview server. The database includes topology, job scheduling, events and device properties.
- The configuration of event notification alarms that are sent through text messages and emails could be maliciously modified. The user could alter links, delete a device and add a third-party icon without permission from the legitimate system administrator.
- Support for the MXview ToGo mobile app for remote monitoring and notification could be disabled or maliciously altered. As a result, the mobile user would not be properly notified of an event in MXview.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)