Product support

Security Advisories

SUMMARY

NPort IAW5000A-I/O Series Serial Device Servers Vulnerabilities

  • Version: V1.2
  • Release Date: Oct 08, 2020
  • Reference:
    • BDU-2020-04049, BDU-2020-04050, BDU-2020-04051, BDU-2020-04052, BDU-2020-04053, BDU-2020-04054
    • CVE-2020-25198, CVE-2020-25194, CVE-2020-25153, CVE-2020-25190, CVE-2020-25196, CVE-2020-25192

Multiple product vulnerabilities were identified in Moxa’s NPort IAW5000A-I/O Series Serial Device Servers. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1 Session Fixation (CWE-384), BDU-2020-04049, CVE-2020-25198 This vulnerability allows an attacker to gain access to a session, and hijack the session by stealing the user’s cookies.
2 Improper Privilege Management
(CWE-269, CWE-266), BDU-2020-04050, CVE-2020-25194
This vulnerability allows a person with user privileges to perform requests with administrative privileges.
3 Weak Password Requirements
(CWE-521), BDU-2020-04051, CVE-2020-25153
This vulnerability allows users to use weak passwords.
4 Cleartext Transmission of Sensitive Information
(CWE-319), BDU-2020-04052, CVE-2020-25190
This vulnerability allows the web server to store and transmit the credentials of third-party services in cleartext.
5 Improper Restriction Of Excessive Authentication Attempts (CWE-307), BDU-2020-04053, CVE-2020-25196 This vulnerability allows a person to use brute force to bypass authentication on a SSH/Telnet session.
6 Information Exposure
(CWE-200), BDU-2020-04054, CVE-2020-25192
This vulnerability allows an attacker to access sensitive information in the built-in web service without proper authorization.
AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
NPort IAW5000A-I/O Series Firmware Version 2.1 or lower

 

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
NPort IAW5000A-I/O Series Please download the new firmware here.

Acknowledgment:

We would like to express our appreciation to Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.
 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Aug 20, 2020
1.1 Added reference information: BDU-2020-04049, BDU-2020-04050, BDU-2020-04051, BDU-2020-04052, BDU-2020-04053, BDU-2020-04054 Oct 08, 2020
1.2 Added the reference information that includes CVE-ID and ICS-CERT's security advisory Oct 14, 2020

Relevant Products

NPort IAW5000A-I/O Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag