Product support

Security Advisories

SUMMARY

AWK-3131A Series Industrial AP/Bridge/Client Vulnerabilities

  • Version: V1.0
  • Release Date: Feb 24, 2020
  • Reference:
    • CVE-2019-5136, CVE-2019-5137, CVE-2019-5138, CVE-2019-5139, CVE-2019-5140, CVE-2019-5141, CVE-2019-5142, CVE-2019-5143, CVE-2019-5148, CVE-2019-5153, CVE-2019-5162, CVE-2019-5165
    • TALOS-2019-0925, TALOS-2019-0926, TALOS-2019-0927, TALOS-2019-0928, TALOS-2019-0929, TALOS-2019-0930, TALOS-2019-0931, TALOS-2019-0932, TALOS-2019-0938, TALOS-2019-0944, TALOS-2019-0955, TALOS-2019-0960

Multiple product vulnerabilities were identified in Moxa’s AWK-3131A industrial AP/Bridge/Client Series. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1 Improper Access Control (CWE-284)
CVE-2019-5136 / TALOS-2019-0925
Improper system access as a higher privilege user. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
2 Use of Hard-coded Cryptographic Key (CWE-321)
CVE-2019-5137 / TALOS-2019-0926
Exploitable Hard-coded Cryptographic Key allows for the decryption of captured traffic.
3 Improper Neutralization of Special Elements used in an OS Command (CWE-78)
CVE-2019-5138 / TALOS-2019-0927
Remote Command Injection to gain control over a device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
4 Use of Hard-coded Credentials (CWE-798)
CVE-2019-5139 / TALOS-2019-0928
Exploitable hard-coded credentials.
5 Improper Neutralization of Special Elements used in an OS Command (CWE-78)
CVE-2019-5140 / TALOS-2019-0929
Remote Command Injection to gain control over a device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
6 Improper Neutralization of Special Elements used in an OS Command (CWE-78)
CVE-2019-5141 / TALOS-2019-0930
Remote Command Injection to gain control over a device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
7 Improper Neutralization of Special Elements used in an OS Command (CWE-78)
CVE-2019-5142 / TALOS-2019-0931
Remote Command Injection to gain control over a device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
8 Buffer Copy without Checking Size of Input (CWE-120)
CVE-2019-5143 / TALOS-2019-0932
This vulnerability may cause remote code execution. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
9 Out-of-bounds Read (CWE-125)
CVE-2019-5148 / TALOS-2019-0938
An attacker can send a crafted packet and cause denial-of-service of the device.
10 Stack-based Buffer Overflow (CWE-121)
CVE-2019-5153 / TALOS-2019-0944
This vulnerability may cause remote code execution. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
11 Improper Access Control (CWE-284)
CVE-2019-5162 / TALOS-2019-0955
Improper remote shell access to the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
12 Authentication Bypass Using an Alternate Path or Channel (CWE-288)
CVE-2019-5165 / TALOS-2019-0960
An exploitable authentication bypass vulnerability. Attacker can trigger authentication bypass on specially configured device.
AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
AWK-3131A Series Firmware Version 1.13 or lower

 

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
AWK-3131A Series Please download the new firmware here.

Acknowledgment:

We would like to express our appreciation to Jared Rittle, Carl Hurd, Patrick DeSantis, and Alexander Perez Palma from Cisco Talos for reporting the vulnerabilities, working with us to help enhance the security of our products, and helping us provide a better service to our customers.
 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Feb 24, 2020
1.1 Added the link to download the firmware Jun 03, 2020

Relevant Products

AWK-3131A Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag