Critical Alert: Moxa Switches Exposed to OpenSSH Remote Code Execution (CVSS 9.8)

A critical security vulnerability has been identified in Moxa’s industrial ethernet switches, threatening the integrity of operational technology (OT) networks. The vulnerability, tracked as CVE-2023-38408, carries a critical CVSS score of 9.8, signaling an urgent need for remediation.

The issue lies within the OpenSSH component used by the devices. Specifically, the vulnerability affects the PKCS#11 feature in OpenSSH’s ssh-agent versions prior to 9.3p2.

The flaw stems from an “unreliable search path” that allows for Remote Code Execution (RCE) if an agent is forwarded to a system controlled by an attacker. Code located in directories like /usr/lib is not necessarily safe for loading, and this specific vulnerability exists due to an incomplete fix for a previous issue, CVE-2016-10009.

Because of the high severity of this issue, users are urged to apply solutions immediately to mitigate the risks.

Moxa has identified two major product series affected by this vulnerability.

1. EDS Series

• Models: EDS-G4000, EDS-4008, EDS-4009, EDS-4012, EDS-4014, EDS-G4008, EDS-G4012, and EDS-G4014.
• Vulnerable Firmware: Version 4.1 and earlier.

2. RKS Series

• Models: RKS-G4000, RKS-G4028, and RKS-G4028-L3.
• Vulnerable Firmware: Version 5.0 and earlier.

Moxa has developed security patches to address this flaw, but they are seemingly not available for direct public download. Users must contact Moxa Technical Support to obtain the specific patch files.

• For EDS Series: Request security patch v4.1.58.
• For RKS Series: Request security patch v5.0.4.

For organizations that cannot immediately perform a firmware update, Moxa recommends a defense-in-depth approach to minimize risk.

• Restrict Access: Use firewalls or Access Control Lists (ACLs) to limit communication to trusted IPs. Segregate operational networks using VLANs.
• Minimize Exposure: Ensure devices are not exposed directly to the Internet and disable unused ports.
• Harden Authentication: Implement Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC).
• Secure Communications: Use encrypted protocols like VPN or SSH for remote access and restrict it to authorized personnel.
• Monitor: Implement anomaly detection to flag unauthorized activities and regularly review audit logs.

Related Posts:

• CVE-2023-38408: OpenSSH Remote Code Execution Vulnerability
• Critical Vulnerability in Moxa PT Switches Allows Unauthorized Access
• CVE-2024-1086: Linux Kernel Vulnerability Impacts Numerous Moxa Products
• CVE-2024-9404: Remote DoS Vulnerability Found in Moxa Industrial Switches
• Moxa PT Switches Vulnerable to CVE-2024-9404 Denial-of-Service Attack