CVE-2022-3088 - Privilege Escalation Vulnerability in Moxa ARM-based Computers – What You Need to Know

In 2022, a serious security issue known as CVE-2022-3088 was discovered in multiple Moxa ARM-based industrial computers. This vulnerability enables an attacker who already has basic user access to escalate their privileges and gain root (administrator) control of the device.

This flaw affects a wide range of Moxa devices and firmware versions, commonly used in industrial and critical infrastructure settings. If exploited, attackers could potentially compromise system safety, disrupt operations, and spread threats across networks.

What is CVE-2022-3088?

CVE-2022-3088 refers to a privilege escalation vulnerability caused by applications running with *unnecessary privileges* on Moxa’s ARM-based computers. Specifically, the vulnerability comes from certain binaries that have the “setuid” bit enabled or run as root even when a regular user could run them. This allows local attackers to execute code with root permissions, bypassing standard security boundaries.

DA-662C-16-LX (GLB) (v1..2 to v1.1.2)

If you operate any of these devices, *please check your firmware version and review the fix guidance below*.

Technical Background

In Unix-like systems (including Linux, used in these Moxa devices), each file and program has ownership and permission settings. Sometimes, a binary may have the “setuid” bit set, which runs it as a specific user (often root), regardless of who launches it.

If an attacker can find such a binary operated by root and it’s exploitable (such as allowing execution of arbitrary code or commands), they can escalate their privileges from a basic user account to “root.”

On affected Moxa devices, some system files and services run with these unnecessary elevated privileges. An attacker or rogue user with limited access can leverage this to become the administrator.

Example Exploit Scenario

Let’s assume a vulnerable binary /usr/bin/vulnerable_binary exists on the device and has "setuid" set for root.

Login as a regular user and run

find / -perm -400 -type f 2>/dev/null

Assume you notice

-rwsr-xr-x 1 root root 12345 Jan  1 12:00 /usr/bin/vulnerable_binary

If vulnerable_binary allows you to pass a command (or inject malicious code), you can execute

/usr/bin/vulnerable_binary --run-cmd="id"

If it’s vulnerable, the output will be

uid=(root) gid=(root) groups=(root)

If possible, spawn a shell as root

/usr/bin/vulnerable_binary --run-cmd="/bin/sh"

Now you’re operating as the root user.

> Note: This is a hypothetical example. The real exploit depends on which binaries are affected and how they process user input.

Update Device Firmware:

Moxa has released patched firmware. Check the official advisory for details and downloads.

Only allow trusted personnel to have shell access.

3. Disable or Remove Unnecessary Users/Binaries:

References

- Moxa Official Security Advisory for CVE-2022-3088
- National Vulnerability Database Entry
- ICS-CERT Advisory ICSA-22-271-04
- Unix ‘setuid’ and privilege escalation explained

Conclusion

CVE-2022-3088 is a critical vulnerability affecting a wide range of Moxa ARM-based industrial computers. If you own or manage any devices or systems using the listed firmware, it is essential to update immediately and follow best security practices to avoid compromise.

Keeping industrial and embedded devices updated and locked down is key to protecting critical infrastructure from escalating cyber threats. Stay alert, stay patched!


*If you found this useful, consider sharing it with your IT or OT security team.*

Timeline

Published on: 11/28/2022 22:15:00 UTC
Last modified on: 12/07/2022 20:15:00 UTC