MXsecurity Product Vulnerabilities
Moxa, a provider of industrial networking and automation solutions, has released version 1.0.1 to patch critical authentication bypass and high-severity command injection vulnerabilities discovered by security researcher Simon Janz in its MXsecurity product. The product is designed as an industrial network security management software for operational technology (OT) environments. The critical vulnerability allows attackers to bypass authentication remotely, resulting from the configuration of the MXsecurity web-based interface and the use of a hardcoded JSON Web Token (JWT) secret (CVE-2023-33235).
Authentication Bypass and Remote Command Execution
The weak configuration allows attackers to forge valid JWT tokens and get access to the web panel with admin privileges. Janz disclosed the technical details, stating that the authentication bypass vulnerability, coupled with another vulnerability like the server-side request forgery (SSRF) flaw, could provide access to arbitrary code execution within the targeted network. In the case of the high-severity flaw, the attacker needs to obtain the SSH admin credentials to launch arbitrary commands and gain control over the targeted network remotely (CVE-2023-33236).
CISA and ZDI Advisories
The flaws discovered prompted Moxa to release the security patches, and the US Cybersecurity and Infrastructure Security Agency (CISA), which collaborates with public and private sectors to secure and defend cyber and physical infrastructures, to issue advisories for the two vulnerabilities. CISA identified that the vulnerable product was widely used across several sectors globally. Simultaneously, the Zero Day Initiative (ZDI), a program created to manage software vulnerabilities, coordinated the process of communicating the security vulnerabilities to end-users.
Advice to Organizations
Organizations that use the Moxa MXsecurity product should ensure that they have updated to the latest version 1.0.1, which patches the two vulnerabilities. Industrial network security management software providers should ensure that they make use of strong encryption and avoid hardcoding secret keys when developing security tools. Additionally, OT organizations must conduct regular vulnerability assessments and security audits of their systems, monitor network activity logs, keep an inventory of devices, segment networks, and ensure that their employees are aware of the cyber risks emanating from the use of internet-connected devices and what to do in the event of an attack.
Editorial
The vulnerabilities discovered in Moxa’s MXsecurity product are a call to manufacturers to improve their security protocols and undertake robust testing of their products before launch. The flaws in the product create loopholes that can potentially lead to a remote command execution and the takeover of targeted systems. The impact is not only on the organization that uses the vulnerable product but also extends to other interconnected networks that are part of the OT environment. The global focus on the OT security sector comes from the increasing threat level driven by nation-state actors and cybercriminals who seek to compromise OT networks, as highlighted by the ICS Cyber Security Conference that seeks to bring OT/IT professionals together to share knowledge and best practices.
Philosophical discussion
As organizations integrate OT and IT devices, technologies, and systems, the vulnerability level is higher concerning cyber-attacks, data breaches, and other security-related incidents. Besides, the integration brings forth several philosophical questions concerning the human role in technology development, the use of machine learning and artificial intelligence in accessing and identifying vulnerabilities and the developing cybersecurity standards and protocols. Ensuring that technology operates for the good of humanity and that industrial systems operate optimally will necessitate an unmatched industry collaboration between researchers, security experts, manufactures, government, and the public sector in the administration of cybersecurity, privacy, and ethics.
<< photo by cottonbro studio >>