As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

Product support

Security Advisories

SUMMARY

Arm-based Computer Improper Privilege Management Vulnerability

Successful exploitation of the improper privilege management vulnerability could allow a local user with normal privileges to change their settings so they have root privileges on affected devices.

The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1

Improper Privilege Management

(CWE-269)
A local user with low privileges can change their settings so they have root privileges.
AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and system image versions are shown below.

Product Series Affected Versions
UC-8100A-ME-T Series System Image v1.0 to v1.6
UC-2100 Series System Image v1.0 to v1.12
UC-2100-W Series System Image v1.0 to v1.12
UC-3100 Series System Image v1.0 to v1.6
UC-5100 Series System Image v1.0 to v1.4
UC-8100 Series System Image v3.0 to v3.5
UC-8100-ME-T Series System Image v3.0 and v3.1
UC-8200 Series System Image v1.0 to v1.5
AIG-300 Series System Image v1.0 to v1.4
UC-8410A Series (with Debian 9) System Image v4.0.2 and v4.1.2
UC-8580 Series (with Debian 9) System Image v2.0 and v2.1
UC-8540 Series (with Debian 9) System Image v2.0 and v2.1
DA-662C-16-LX Series (GLB) System Image v1.0.2 to 1.1.2

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
UC and DA Series

For devices with Internet access

  1. Connect to the device and log in with Linux shell
  2. Enter the following commands in sequence to update the affected software component (moxa-version):
    1. sudo apt update
    2. sudo apt install --only-upgrade moxa-version

For devices without Internet access

  1. Download moxa-version_1.3.3+deb9_armhf.deb from the site below using a computer with Internet access.https://debian.moxa.com/#debian/pool/main/m/moxa-version/
  2. Transfer the downloaded package to the affected Moxa Arm-based computer
  3. Install the downloaded package with the following command:dpkg -i moxa-version_1.3.3+deb9_armhf.deb

Please contact Moxa Technical Support if you encounter any problem when updating the security patch.

AIG-300 Series

Use ThingsPro Proxy:

  1. Download the latest ThingsPro Proxy utility from Moxa’s website and install it to your personal computer.
  2. Follow the instructions in the ThingsPro Proxy User’s Manual to upgrade your devices.

For devices that participate in the Moxa DLM Service preview program

  1. Log in to your Moxa DLM Service account.
  2. Go to “Repository – Software” and apply “AIG-301 security patch for IPV-220803”

 

Acknowledgment:

We would like to express our appreciation to Mikael Vingaard from En Garde ICSRange research team for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.

 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Nov 22, 2022

 

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
Feedback