The OnCell G3150A-LTE Series prior to version 1.3 is affected by multiple web application vulnerabilities: CVE-2004-2761, CVE-2013-2566, CVE-2016-2183, CVE-2023-6093, and CVE-2023-6094. These vulnerabilities are caused by applying weak cryptographic algorithms and cipher suites, and incorrectly restricts frame objects. Successful exploitation of these vulnerabilities could lead to unauthorized access and unexpected user interaction with the web application. 

The identified vulnerability types and potential impacts are shown below:

Affected Products:

The affected products and firmware versions are shown below.

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities (CVE-2004-2761, CVE-2013-2566, CVE-2016-2183), implementing the following security enhancements:  

• Substitute weak cipher suites and algorithms with approved ones. 

Mitigation 

Since Oncell G3150A-LTE has been phased out, we don’t have any plans to address CVE 2023-6093 and CVE-2023-6094. We recommend that users follow the mitigation measures below to deploy the product in an appropriate product security context. 

Moxa recommends users to implement the following mitigations if necessary: 

• Reduce network exposure by ensuring that all control system devices and systems are not accessible from the Internet. 

• Place control system networks and remote devices behind firewalls, isolating them from business networks. 

• When remote access is necessary, employ secure methods such as Virtual Private Networks (VPNs). It is important to note that VPNs may have vulnerabilities and should be kept up to date with the latest available version. Remember that the security of a VPN depends on the security of its connected devices. 

Revision History: