Product support

Security Advisories

SUMMARY

Moxa's Response Regarding Sudo Heap-based Buffer Overflow Vulnerability (CVE-2021-3156)

Sudo is a utility included in many Linux-based operating systems that allows a user to run programs with the security privileges of another user. A Heap-based buffer overflow vulnerability has been found on Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1. An attacker could exploit this vulnerability to take control of an affected system.

Moxa's Cyber Security Response Team (CSRT) is fully engaged in this matter and we are taking appropriate action. If there are any updates to the status of the vulnerabilities or how these affect Moxa's products, we will provide an update immediately.

AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Category Product Series Affected Versions
Arm-based Computers UC-2100 Series Moxa Industrial Linux v1.0
UC-2100-W Series Moxa Industrial Linux v1.0
UC-3100 Series Moxa Industrial Linux v1.0
UC-5100 Series Moxa Industrial Linux v1.0
UC-8100 Series Moxa Industrial Linux v1.0
UC-8100A-ME-T Series Moxa Industrial Linux v1.0
UC-8100-ME-T Series Debian 8.x
UC-8100-ME-T Series Moxa Industrial Linux v1.0
UC-8200 Series Moxa Industrial Linux v1.0
UC-8410A Series Debian 8.x
UC-8410A Series Moxa Industrial Linux v1.0
UC-8540 Series Debian 8.x
UC-8580 Series Moxa Industrial Linux v1.0
x86 Computers MC-1100 Series Debian 8.x
MC-1100 Series Debian 9.x
MC-1200 Series Debian 9.x
V2201 Series Debian 9.x
V2403 Series Debian 9.x
V2406A Series Debian 8.x
V2406C Series Debian 7.x
V2416A Series Debian 9.x
V2426A Series Debian 7.x
V2616A Series Debian 7.x
DA-681C Series Debian 7.x
DA-681A Series Debian 9.x
DA-682C Series Debian 8.x
DA-720 Series Debian 9.x
DA-820C Series Debian 8.x
Panel Computers & Displays MPC-2070 Series Debian 9.x
MPC-2101 Series Debian 9.x
MPC-2120 Series Debian 9.x
MPC-2121 Series Debian 9.x
Controller and I/Os    ioThinx 4530 Series Firmware Edition 1.3 or lower

 

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Category Product Series Solutions
Arm-based Computers UC-2100 Series For firmware with Debian 8.x version, follow the steps below to upgrade the SUDO package to version 1.8.10p3-1+deb8u8.
For firmware with Debian 9.x or Moxa Industrial Linux (MIL) version, follow the steps below to upgrade the SUDO package to version 1.8.19p1-2.1+deb9u3.
 
Solution 1: Upgrade package from the Moxa Debian repository
   
    Step 1. Update the apt information
root@Linux:~$ apt-get update
   
    Step 2. Install the SUDO package
root@Linux:~$ apt-get install sudo
 
  • Note: The debian.moxa.com repo has been configured inside the system. If you cannot access the repo normally. Please check if the Moxa Debian repository is in the apt source list. 
          Open moxa.source.list in the vi editor.
root@Linux:~$ vi /etc/apt/sources.list.d/moxa.sources.list
          If it is not there, add the following line to moxa.source.list
          - For Debian 8.x,
             deb http://debian.moxa.com/debian jessie main
          - For Debian 9.x or MIL,
            deb http://debian.moxa.com/debian stretch main
 
Solution 2: Download the file from the Moxa Debian repository, and then upload the deb file to the device (via USB, SD, SCP etc.) to perform the update.
   
    Step1. Download Sudo’s latest deb file:
        For Debian 8.x amd64 system: Download from here.
        For Debian 8.x armhf system: Download from here.
        For Debian 9.x or MIL armhf system: Download from here.
        For Debian 9.x or MIL amd64 system: Download from here

    Step2.  Upload the deb file to the device via USB/SD Card or SCP command etc.
   
    Step3. Use the dpkg -i command to install the deb file.
root@Linux:~$ dpkg -i <deb file name>
          e.g.
root@Linux:~$ dpkg -i sudo_1.8.19p1-2.1+deb9u3_armhf.deb

For firmware with Debian 7.x version, no patch is available since the LTS (Long-term Support) by Debian community ended on May 31, 2018.
For firmware with Debian 8.x version, no patch will be available in the future since its LTS by Debian community is ended on June 30, 2020.
Please ensure your device cannot be accessed by unauthorized users to mitigate the risk. Upgrading to Debian 9 (Stretch) or Debian 10 (buster) is also recommended.
UC-2100-W Series
UC-3100 Series
UC-5100 Series
UC-8100 Series
UC-8100A-ME-T Series
UC-8100-ME-T Series
UC-8100-ME-T Series
UC-8200 Series
UC-8410A Series
UC-8410A Series
UC-8540 Series
UC-8580 Series
x86 Computers MC-1100 Series
MC-1100 Series
MC-1200 Series
V2201 Series
V2403 Series
V2406A Series
V2406C Series
V2416A Series
V2426A Series
V2616A Series
DA-681C Series
DA-681A Series
DA-682C Series
DA-720 Series
DA-820C Series
Panel Computers & Displays MPC-2070 Series
MPC-2101 Series
MPC-2120 Series
MPC-2121 Series
Controller and I/Os    ioThinx 4530 Series

 

Revision History:

 

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Feb 17, 2021

Relevant Products

DA-681A Series · DA-681C Series · DA-682C Series · DA-720 Series · DA-820C Series · ioThinx 4530 Series · MC-1100 Series · MC-1200 Series · MPC-2070 Series · MPC-2101 Series · MPC-2120 Series · MPC-2121 Series · UC-2100 Series · UC-2100-W Series · UC-3100 Series · UC-5100 Series · UC-8100 Series · UC-8100A-ME-T Series · UC-8100-ME-T Series · UC-8200 Series · UC-8410A Series · UC-8540 Series · UC-8580 Series · V2201 Series · V2403 Series · V2406A Series · V2406C Series · V2416A Series · V2426A Series · V2616A Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
Feedback