9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.2%
An exploitable command injection vulnerability exists in encrypted diagnostic script functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file can cause arbitrary busybox commands to be executed, resulting in remote control over the device. An attacker can send diagnostic while authenticated as a low privilege user to trigger this vulnerability.
Moxa AWK-3131A Firmware version 1.13
<http://www.moxa.com/product/AWK-3131A.htm>
9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.
An encrypted script file is used for diagnostics of the Moxa AWK-3131A. This script file is encrypted with a hardcoded password openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %s%s
. These encrypted files can be uploaded to the webportal for “advanced diagnostics” of the device.
The script file format itself is somewhat custom and is a very barebones command set. For the purposes of explaining the format, assume that #
designates a comment (not true in the script file itself)
MOXA # This must be present in the file as a magic header
This line is ignored # Lines that do not contain a reserved word are ignored
period: 10; # This is the start of a loop which starts every 10 seconds, period is the reserved word and this is required for successful parsing of the format
> arp # > is the reserved word for executing
total: 20; # This is the end of the loop for a total of 2 executions
Results of script are zip’d and then encrypted prior to be presented to the user. The same openssl command can be used with the -d
flag in order to decrypt the file.
The script contains a very limited command set including: - free - arp - route - iwconfig - ipconfig - ps - dmesg - brctl - athstats - 80211debug - athdebug - tcpdump - killall tcpdump - netstat - cat
These commands are fully functional and can take arguments to perform any action that could be done via the command line. These commands are executed as root
so cat /etc/passwd
as well as tcpdump -i br0 -w /dev/null -W 1 -G 1 -z '/sbin/reboot'
are specifically interesting usages of this functionality.
2019-10-22 - Vendor Disclosure
2020-02-24 - Public Release
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.2%