Second Order Command-injection Vulnerability in the Certificate-generation Function

Vulnerability

A command-injection vulnerability exists in the certificate-generation function of TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior [1]. The flaw stems from insufficient input validation, which allows an attacker to inject arbitrary operating system commands during certificate generation [1]. This vulnerability is part of a set of multiple web server vulnerabilities affecting these product series [1].

Exploitation

An attacker must be able to send crafted requests to the device's web server to exploit the certificate-generation function [1]. The attack requires network access to the affected device but does not require authentication, as the vulnerable endpoint is accessible without valid credentials [1]. The attacker injects malicious payloads into input fields that are not properly sanitized, leading to command execution on the underlying operating system [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on the affected device with the privileges of the web server process [1]. This can lead to complete compromise of the device, including unauthorized access, data exfiltration, and potential disruption of network services. The CVSS severity is not specified in the reference, but the nature of remote code execution indicates critical impact [1].

Mitigation

Moxa has released firmware updates to address these vulnerabilities. Users should update TN-4900 Series to firmware version later than v1.2.4 and TN-5900 Series to firmware version later than v3.3 [1]. As an interim mitigation, Moxa recommends minimizing network exposure by ensuring the device is not accessible from the internet and using secure methods such as VPNs for remote access [1].