As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

Product support

Security Advisories

SUMMARY

MXsecurity Series Multiple Vulnerabilities

These vulnerabilities are caused by the improper design or implementation of authentication mechanisms and input validation. Exploiting these vulnerabilities could enable an attacker to bypass authentication, which could lead to the unauthorized disclosure or tampering of authenticated information, unauthorized access to sensitive data, and remote access without proper authorization.


The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1
Small Space of Random Values (CWE-334)
CVE-2023-39979
An attacker can bypass authentication to gain unauthorized access.
2
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
CVE-2023-39980
An attacker can change the SQL command to gain unauthorized access to disclose information.
3
Improper Authentication (CWE-287)
CVE-2023-39981
An attacker can gain unauthorized access to disclose device information.
4
Use of Hard-coded Credentials (CWE-798)
CVE-2023-39982
An attacker can facilitate man-in-the-middle attacks and enable the decryption of SSH traffic.
5
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
CVE-2023-39983
An attacker can register/add a device via the nsm-web application.

 

Vulnerability Scoring Details

ID CVSS V3.1 VECTOR REMOTE EXPLOIT WITHOUT AUTH?
CVE-2023-39979 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Yes
CVE-2023-39980 7.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N No
CVE-2023-39981 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Yes
CVE-2023-39982 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Yes
CVE-2023-39983 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Yes

 

AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
MXsecurity Series
Software version v1.0.1 and prior versions

 

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
MXsecurity Series Please upgrade to firmware v1.1.0 or later.

 

Mitigation

  • Minimize network exposure to ensure the device is not accessible from the Internet.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs).
  • The starting point of all the above vulnerabilities is from the web service, so it is suggested to disable web service temporarily if you completed configuration to prevent further damages from these vulnerabilities until installed patch or updated firmware. 

 

Products Confirmed Not Vulnerable:

Only products listed in the Affected Products section of this advisory are known to be affected by these vulnerabilities. 

 

Acknowledgment:

We would like to express our appreciation to Noam Moshe of Claroty Research - Team82 for reporting the vulnerabilities (CVE-2023-39979, CVE-2023-39980, and CVE-2023-39981), Darren Martyn for advising on a vulnerability (CVE-2023-39982), and James Sebree from the Tenable Bug Bounty Program for his contribution in reporting a vulnerability (CVE-2023-39983) and working with us to help enhance the security of our products and provide a better service to our customers.

 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Sept. 1, 2023
1.1 Update credit to Claroty Sept. 1, 2023

Relevant Products

MXsecurity Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
You have some items waiting in your bag; click here to finish your quote!
Feedback