Product support

Security Advisories

SUMMARY

OnCell G3100-HSPA Series and OnCell G3470A-LTE Series Cellular Gateway Vulnerabilities

  • Version: V1.0
  • Release Date: Feb 13, 2020
  • Reference:
    • CVE-2018-11420, CVE-2018-11423, CVE-2018-11424, CVE-2018-11425, CVE-2018-11426, CVE-2018-11427, CVE-2018-11421, CVE-2018-11422

Multiple product vulnerabilities were identified in Moxa’s OnCell G3100-HSPA Series and OnCell G3470A-LTE Series Cellular Gateway. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:
OnCell G3470A-LTE Series:

Item Vulnerability Type Impact
1 Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
CVE-2018-11425
Denial of service and remote code execution


OnCell G3100-HSPA Series:

Item Vulnerability Type Impact
1 Uncontrolled Resource Consumption (CWE-400)
CVE-2018-11420
Remote code execution
2 Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
CVE-2018-11423
Denial of service and remote code execution
3 Null Pointer Dereference (CWE-476)
CVE-2018-11424
Denial of service
4 Improper Authentication (CWE-287)
CVE-2018-11426
Attacker can brute force authentication parameters
5 Cross-Site Request Forgery (CSRF) (CWE-352)
CVE-2018-11427
Attacker can impersonate administrative actions via web interface
6 Information Exposure (CWE-200)
CVE-2018-11421
Attacker can obtain sensitive information such as administrative credentials
7 Improper Access Control (CWE-284)
CVE-2018-11422
Attacker can modify configuration and upload firmware

 

AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
OnCell G3470A-LTE Series Firmware version 1.6 or lower
OnCell G3100-HSPA Series Firmware version 1.4 or below for vulnerabilities 1, 2, and 3 (CVE-2018-11420, CVE-2018-11423, and CVE-2018-11424)

Firmware version 1.7 or below for vulnerabilities 4, 5, 6, and 7 (CVE-2018-11426, CVE-2018-11427, CVE-2018-11421 and CVE-2018-11422)

 

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
OnCell G3470A-LTE Series Please download the new firmware/software here.
OnCell G3100-HSPA Series For vulnerabilities 1, 2, 3, 4 and 5 (CVE-2018-11420, CVE-2018-11423, CVE-2018-11424, CVE-2018-11426 and CVE-2018-11427), please download the new firmware/software here.

For vulnerability items 6 and 7 (CVE-2018-11421 and CVE-2018-11422), it only affected when using “OnCell Search Utility” and “OnCell Central Manager” on Moxa OnCell-G3100-HSPA. Moxa recommends our customers add additional secure communication mechanism such as configuring “OnCell Central Manager” as an IPsec VPN Server on OnCell to build a VPN solutions to mitigate potential risk.

Acknowledgment:

We would like to express our appreciation to Mr. Alexander Zaytsev from Kaspersky Lab for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.
 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Feb 13, 2020

Relevant Products

OnCell G3100-HSPA Series · OnCell G3470A-LTE Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
Feedback