Product support

Security Advisories

SUMMARY

EDR-810 Series Security Router Vulnerabilities

  • Version: V1.0
  • Release Date: Mar 23, 2021
  • Reference:
    • CVE-2014-2284, CVE-2015-1788, CVE-2016-10012, CVE-2015-3195, CVE-2016-6515, CVE-2017-17562, CVE-2013-0169, CVE-2016-0703, CVE-2013-1813, CVE-2010-2156
    • BDU:2015-07052, BDU:2015-11035, BDU:2017-00350, BDU:2016-01654, BDU:2018-00117, BDU:2018-00118, BDU:2015-09702, BDU:2016-00629, BDU:2015-09676, BDU:2018-00784

Multiple product vulnerabilities were identified in Moxa’s EDR-810 industrial secure router. In response to this, Moxa has developed related solutions to address the vulnerability.

The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1 Improper Input Validation
CVE-2014-2284, BDU:2015-07052
Crafted packets could potentially stop the SNMP operation of the EDR-810 series.
2 Resource Management Errors
CVE-2015-1788, BDU:2015-11035
Malformed binary polynomial field allows remote attackers to cause a denial of service.
3 Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2016-10012, BDU:2017-00350
SSH connection might allow local users to gain privileges by leveraging access to a sandboxed privilege-separation process.
4 Exposure of Sensitive Information to an Unauthorized Actor
CVE-2015-3195, BDU:2016-01654
Malformed data might allow remote attackers to obtain sensitive information from process memory by triggering a decoding failure.
5 Improper Input Validation
CVE-2016-6515, BDU:2018-00117
Crafted string for password authentication might allow remote attackers to cause a denial of service.
6 Improper Input Validation
CVE-2017-17562, BDU:2018-00118
Crafted HTTP request might allow remote code execution.
7 Cryptographic Issues
CVE-2013-0169, BDU:2015-09702
Out-of-date TLS protocol might allow remote attackers to conduct distinguishing attacks and plaintext-recovery attacks.
8 Exposure of Sensitive Information to an Unauthorized Actor
CVE-2016-0703, BDU:2016-00629
Out-of-date SSL protocol might allow man-in-the-middle attackers to decrypt TLS ciphertext data.
9 Permissions, Privileges, and Access Controls
CVE-2013-1813, BDU:2015-09676
Improper operation of authorized users may cause local users to have unknown impact and attack vectors via console.
10 Numeric Errors
CVE-2010-2156, BDU:2018-00784
Crafted DHCP packets might allow remote attackers to cause a denial of service.
AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
EDR-810 Series For item 1: Firmware Version 5.7 or lower versions
For item 2 to 10: Firmware Version 5.1 or lower versions

 

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
EDR-810 Series For item 1: Please upgrade to firmware version 5.8 or higher versions. (Download Link)
For item 2 to 10, Please upgrade to firmware version 5.3 or higher versions. (Download Link)

Acknowledgment:

We would like to express our appreciation to BDU FSTEC for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.
 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Mar 23, 2021

Relevant Products

EDR-810 Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
Feedback