SB2020022406 - Multiple vulnerabilities in Moxa AWK-3131A Series

Description

This security bulletin contains information about 12 secuirty vulnerabilities.

1) Stack-based buffer overflow (CVE-ID: CVE-2019-5153)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the "iw_webs" configuration parsing functionality. A remote authenticated attacker can send specially crafted commands, trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Out-of-bounds read (CVE-ID: CVE-2019-5148)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the "ServiceAgent" functionality. A remote attacker can send a specially crafted packet, trigger out-of-bounds read error and cause a denial of service condition on the system.

3) Improper access control (CVE-ID: CVE-2019-5162)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the "iw_webs" account settings functionality. A specially crafted user name entry can cause the overwrite of an existing user account password. A remote authenticated attacker can send specially crafted commands, bypass implemented security restrictions and gain unauthorized access to the application.

4) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2019-5165)

The vulnerability exist due to improper implementation of the authentication process in the hostname. A remote authenticated attacker can send specially crafted SNMP requests and trigger authentication bypass on specially configured device.

5) Buffer overflow (CVE-ID: CVE-2019-5143)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the "iw_console" and "conio_writestr" functionalities. A remote authenticated attacker can send specially crafted commands, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) OS Command Injection (CVE-ID: CVE-2019-5142)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the "hostname" functionality. A remote authenticated attacker can send specially crafted requests and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

7) OS Command Injection (CVE-ID: CVE-2019-5138)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in encrypted diagnostic script functionality. A remote authenticated attacker can send a specially crafted diagnostic script file and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

8) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2019-5137)

The vulnerability allows a remote attacker to decrypt sensitive information.

The vulnerability exists due to presence of a hard-coded cryptographic key within the "ServiceAgent" binary. A remote attacker can decrypt a captured traffic.

9) Use of hard-coded credentials (CVE-ID: CVE-2019-5139)

The vulnerability allows a remote attacker to gain unauthorized access to vulnerable system.

The vulnerability exists due to presence of hard-coded credentials in multiple iw_* utilities. A remote unauthenticated attacker can access the affected system using the hard-coded credentials and create the custom diagnostic scripts.

10) OS Command Injection (CVE-ID: CVE-2019-5140)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the "iw_webs" functionality. A specially crafted diagnostic script file name can cause user input to be reflected in a subsequent "iw_system" call. A remote authenticated attacker can send specially crafted commands and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

11) OS Command Injection (CVE-ID: CVE-2019-5141)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the "iw_webs" functionality. A specially crafted "iw_serverip" parameter can cause user input to be reflected in a subsequent "iw_system" call. A remote authenticated attacker can send specially crafted commands and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

12) Improper access control (CVE-ID: CVE-2019-5136)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the "iw_console" functionality. A remote authenticated attacker can use a specially crafted menu selection string to cause an escape from the restricted console, send specially crafted commands, bypass implemented security restrictions and gain unauthorized access to the application.

Remediation

Install update from vendor's website.

References

• https://www.moxa.com/en/support/support/security-advisory/awk-3131a-series-industrial-ap-bridge-client-vulnerabilities
• https://talosintelligence.com/vulnerability_reports/TALOS-2019-0944
• https://talosintelligence.com/vulnerability_reports/TALOS-2019-0938
• https://talosintelligence.com/vulnerability_reports/TALOS-2019-0955
• https://talosintelligence.com/vulnerability_reports/TALOS-2019-0960
• https://talosintelligence.com/vulnerability_reports/TALOS-2019-0932
• https://talosintelligence.com/vulnerability_reports/TALOS-2019-0931
• https://talosintelligence.com/vulnerability_reports/TALOS-2019-0927
• https://talosintelligence.com/vulnerability_reports/TALOS-2019-0926
• https://talosintelligence.com/vulnerability_reports/TALOS-2019-0928
• https://talosintelligence.com/vulnerability_reports/TALOS-2019-0929
• https://talosintelligence.com/vulnerability_reports/TALOS-2019-0930
• https://talosintelligence.com/vulnerability_reports/TALOS-2019-0925