As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

Product support

Security Advisories

SUMMARY

Multiple Moxa Ethernet Switches Affected by CVE-2023-48795 and CVE-2019-20372

Multiple Moxa Ethernet switches are affected by the CVE-2023-48795 and CVE-2019-20372 vulnerabilities. These vulnerabilities pose potential security risks that could impact the integrity and functionality of the affected products. 


The identified vulnerability types and potential impacts are listed below:

Item Vulnerability Type Impact
1

Improper Validation of Integrity Check Value (CWE-354) 

CVE-2023-48795

This can allow a remote, man-in-the-middle attacker to bypass integrity checks and downgrade the connection's security.
2

Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) (CWE-444)

CVE-2019-20372

This can allow HTTP request smuggling, leading to unauthorized access to web pages, bypassing security controls, and potential for further attacks.

Vulnerability Scoring Details 

ID
CVSS
Vector

Unauthenticated Remote Exploits

CVE-2023-48795

5.9

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Yes
CVE-2019-20372 5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Yes
AFFECTED PRODUCTS AND SOLUTIONS

The Affected Products:

The affected products and firmware versions are listed below.

Product Series Affected Versions
MDS-G4012 Series Firmware version 4.0 and earlier versions
MDS-G4020 Series Firmware version 4.0 and earlier versions
MDS-G4028 Series Firmware version 4.0 and earlier versions
MDS-G4012-L3 Series Firmware version 4.0 and earlier versions
MDS-G4020-L3 Series Firmware version 4.0 and earlier versions
MDS-G4028-L3 Series Firmware version 4.0 and earlier versions
MDS-G4012-4XGS Series Firmware version 4.0 and earlier versions
MDS-G4020-4XGS Series Firmware version 4.0 and earlier versions
MDS-G4028-4XGS Series Firmware version 4.0 and earlier versions
MDS-G4012-L3-4XGS Series Firmware version 4.0 and earlier versions
MDS-G4020-L3-4XGS Series Firmware version 4.0 and earlier versions
MDS-G4028-L3-4XGS Series Firmware version 4.0 and earlier versions

 

Solutions:

Moxa has developed appropriate solutions to address vulnerability. The solutions for the affected products are listed below.

Product Series Solutions
MDS-G4012 Series Please contact Moxa Technical Support for further assistance
MDS-G4020 Series Please contact Moxa Technical Support for further assistance
MDS-G4028 Series Please contact Moxa Technical Support for further assistance
MDS-G4012-L3 Series Please contact Moxa Technical Support for further assistance
MDS-G4020-L3 Series Please contact Moxa Technical Support for further assistance
MDS-G4028-L3 Series Please contact Moxa Technical Support for further assistance
MDS-G4012-4XGS Series Please contact Moxa Technical Support for further assistance
MDS-G4020-4XGS Series Please contact Moxa Technical Support for further assistance
MDS-G4028-4XGS Series Please contact Moxa Technical Support for further assistance
MDS-G4012-L3-4XGS Series Please contact Moxa Technical Support for further assistance
MDS-G4020-L3-4XGS Series Please contact Moxa Technical Support for further assistance
MDS-G4028-L3-4XGS Series Please contact Moxa Technical Support for further assistance

 

Mitigations:

  • For the CVE-2023-48795: Disabling vulnerable extensions can prevent the attack vector from being exploited. Additionally, implementing network segmentation can reduce the attack surface and contain potential breaches.

  • For the CVE-2019-20372: Proper configuration can prevent exploitation by ensuring error pages are handled securely. Additionally, a Web Application Firewall (WAF) can provide an extra layer of security by filtering out potentially harmful requests before they reach NGINX.

 

The Products That Are Not Vulnerable:

Only the products listed in the Affected Products section of this advisory are known to be affected by these vulnerabilities. Moxa has confirmed that these vulnerabilities does not affect the following products: 

  • EDS-205A Series, EDS-208A Series, EDS-405A Series, EDS-408A Series, EDS-505A Series, EDS-508A Series, EDS-510A Series, EDS-516A Series, EDS-518A Series, EDS-G205A Series, EDS-P206A Series, EDS-P510A Series 
  • PT-7528 Series, PT-G503 Series, PT-G510 Series, PT-G7728 Series, PT-G7828 Series 
  • End-of-Life Products: PT-7728 Series, PT-7828 Series 

 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First release November 1, 2024
1.1 Updated the solutions November 22, 2024

Relevant Products

MDS-G4012 Series · MDS-G4012-4XGS Series · MDS-G4012-L3 Series · MDS-G4012-L3-4XGS Series · MDS-G4020 Series · MDS-G4020-4XGS Series · MDS-G4020-L3 Series · MDS-G4020-L3-4XGS Series · MDS-G4028 Series · MDS-G4028-4XGS Series · MDS-G4028-L3 Series · MDS-G4028-L3-4XGS Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
You have some items waiting in your bag; click here to finish your quote!
Feedback