Critical OpenSSH flaw exposes Moxa industrial switches to remote takeover
Take action: Make sure all Moza devices are isolated from the internet and accessible from trusted networks only. Contact Moxa support to get the latest firmware for your EDS and RKS switches.
Learn More
Moxa released a critical security advisory about a flaw in its industrial Ethernet switches that allows attackers to execute arbitrary code remotely without needing a password or user interaction. The problem is caused by a thied party library how the devices handle OpenSSH.
The vulnerability is tracked as CVE-2023-38408 (CVSS score 9.8) - an unquoted search path vulnerability in OpenSSH that enables remote code execution when an agent is forwarded to a compromised system.
If a user forwards their ssh-agent to a computer an attacker already controls, the attacker can force the agent to load a malicious library.
Affected Moxa models include the EDS-G4000, EDS-4008, EDS-4009, EDS-4012, EDS-4014, EDS-G4008, EDS-G4012, and EDS-G4014 series running firmware version 4.1 and earlier. Additionally, the RKS-G4000, RKS-G4028, and RKS-G4028-L3 series with firmware v5.0 and earlier require immediate attention.
Moxa has released firmware updates to fix this issue. Administrators should contact Moxa Technical Support to get version 4.1.58 for EDS series switches and version 5.0.4 for RKS series switches. Until you can apply these patches, isolate these devices from the public internet and ensure they are only reachable through a secure VPN or trusted internal network.
