As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

Product support

Security Advisories

SUMMARY

ThingsPro 2 Series System Software Vulnerabilities

  • Security Advisory ID: MCSA-181001
  • Version: 1.0
  • Release Date: Oct 17, 2018

Multiple product vulnerabilities were identified in Moxa’s ThingsPro 2 Series System Software. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1 User enumeration A remote attacker can find valid users in web applications and use brute force to exploit this vulnerability to find the corresponding password.
2 User privilege escalation The exploitation of this vulnerability allows the remote attacker to gain more privileges.
3 Broken access control The exploitation of this vulnerability allows the remote attacker to gain more privileges.
4 The server does not require the old password when changing the password It is too easy for a remote attacker to change the password.
5 Cleartext storage of sensitive information The remote attacker can guess the token permissions.
6 Privilege escalation exists on hidden token The remote attacker could gain root privileges and execute commands by accessing the hidden token API.
7 Remote code execution The remote attacker can use this to inject strings and force the server to run additional commands.
AFFECTED PRODUCTS AND SOLUTIONS

Affected Products

The affected products and firmware versions are shown below.

Product Series Affected Version
ThingsPro 2 Series Software Version 2.1 or prior

 

Solutions

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
ThingsPro 2 Series For item 1 - User enumeration, Moxa suggests using strong password, for example:

• Minimum 8 characters
• At least one number: 0 to 9
• Combination of lower and upper case: A to Z, a to z
• At least one special character: ~,!,@,#,$,%,^,&,*,-

Moxa has addressed these vulnerabilities with a new firmware release for ThingsPro 2 Version 2.3 or after, please contact your sales representative to get the firmware.

 

Acknowledgment

We would like to thank Mr. Alexander Nochvay from Kaspersky Lab ICS CERT for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.

 

Revision History

Version Description Release Date
1.0 First Release Oct 17, 2018
  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
You have some items waiting in your bag; click here to finish your quote!
Feedback