Multiple vulnerabilities in Moxa MXview Network Management Software



Published: 2021-10-06
Risk High
Patch available YES
Number of vulnerabilities 5
CVE-ID CVE-2021-38452
CVE-2021-38456
CVE-2021-38460
CVE-2021-38458
CVE-2021-38454
CWE-ID CWE-22
CWE-259
CWE-523
CWE-74
CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		MXview
Client/Desktop applications / Other client software

Vendor Moxa

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Path traversal

EUVDB-ID: #VU57083

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-38452

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and create or overwrite critical files.

Mitigation

Install update from vendor's website.

Vulnerable software versions

MXview: 3.2.2

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-278-03


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use of Hard-coded Password

EUVDB-ID: #VU57084

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-38456

CWE-ID: CWE-259 - Use of Hard-coded Password

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system. 

The vulnerability exists due to the software contains a hard-coded password. A remote attacker can gain access through accounts using default passwords.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

MXview: 3.2.2

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-278-03


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Unprotected Transport of Credentials

EUVDB-ID: #VU57085

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-38460

CWE-ID: CWE-523 - Unprotected Transport of Credentials

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to password leakage. A remote attacker can obtain credentials through unprotected transport.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

MXview: 3.2.2

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-278-03


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper Neutralization of Special Elements in Output Used by a Downstream Component

EUVDB-ID: #VU57086

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-38458

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper neutralization of special elements. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

MXview: 3.2.2

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-278-03


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper access control

EUVDB-ID: #VU57087

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-38454

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to the affected product has a misconfigured service that allows remote connections to internal communication channels. A remote attacker can bypass implemented security restrictions and interact and use MQTT.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

MXview: 3.2.2

External links

http://ics-cert.us-cert.gov/advisories/icsa-21-278-03


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###