Severity

High

Analysis Summary

CVE-2019-9099

Two separate issues cause a buffer overflow in the built-in web server that may allow a remote attacker to initiate a DoS attack and execute arbitrary code.

CVE-2019-9098

An integer overflow causes unexpected memory allocation that can lead to a buffer overflow.

CVE-2019-9102

A predictable mechanism of generating tokens allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism.

CVE-2019-9095

A weak cryptographic algorithm with predictable variables may allow sensitive information to be revealed.

CVE-2019-9103

An attacker can access sensitive information and usernames via the built-in web service without proper authorization

CVE-2019-9101

Sensitive information is transmitted over some web applications in clear text.

CVE-2019-9096

Weak password requirements may allow an attacker to gain access by using brute force.

CVE-2019-9104

Sensitive information is stored in configuration files without encryption, which may allow an attacker to access an administrative account.

CVE-2019-9097

The web service may become temporarily unavailable if an attacker is able to overload the system to cause the service to crash.

Impact

• Crashing of device
• Buffer overflow
• Allow remote execution of arbitrary code
• Allow access to sensitive information

Affected Vendors

Moxa

Affected Products

• MB3170 series firmware Version 4.0 or lower
• MB3270 series firmware Version 4.0 or lower
• MB3180 series firmware Version 4.0 or lower
• MB3280 series firmware Version 4.0 or lower
• MB3480 series firmware Version 4.0 or lower
• MB3660 series firmware Version 4.0 or lower

Remediation

Upgrade to latest versions of affected software.

• MB3170 Series: Download the new firmware.
• MB3270 Series: Download the new firmware.
• MB3180 Series: Download the new firmware
• MB3280 Series: Download the new firmware.
• MB3480 Series: Download the new firmware.
• MB3660 Series: Download the new firmware