SB2018030204 - Multiple vulnerabilities in Moxa OnCell G3100-HSPA Series
Published: March 2, 2018
Security Bulletin ID
SB2018030204
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Brute-force attack (CVE-ID: CVE-2018-5455)
CWE-ID: CWE-565 - Reliance on Cookies without Validation and Integrity Checking
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows remote attacker to perform brute-force attack on the target system.
The vulnerability exists due to the application allows a cookie parameter to consist of only digits. A remote attacker can perform a brute force attack, bypass authentication and gain access to device functions.
Successful exploitation of this vulnerability may result in unauthorized access to the system.
2) Denial of service (CVE-ID: CVE-2018-5453)
CWE-ID: CWE-130 - Improper Handling of Length Parameter Inconsistency
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows remote attacker to cause DoS condition on the target system.
The vulnerability exists due to improper handling of length parameter inconsistency. A remote attacker can edit the element of an HTTP request and cause the device to become unavailable.
3) Null pointer dereference (CVE-ID: CVE-2018-5449)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows remote attacker to cause DoS condition on the target system.
The vulnerability exists due to the application does not check for a NULL value. A remote attacker can trigger NULL pointer dereference and cause the device to become unavailable.
Remediation
Install update from vendor's website.