Product support

Security Advisories

SUMMARY

PT-7528 and PT-7828 Series Ethernet Switches Vulnerabilities

  • Version: V1.0
  • Release Date: Sep 25, 2019
  • Reference:
    • CVE-2020-6989, CVE-2020-6987, CVE-2020-6983, CVE-2020-6895, CVE-2020-6996, CVE-2020-6993
    • CNVD-2020-13511, CNVD-2020-13512, CNVD-2020-13513, CNVD-2020-13514, CNVD-2020-13507

Multiple product vulnerabilities were identified in Moxa’s PT-7528 and PT-7828 Series Ethernet Switches. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1 Stack-based buffer overflow (CWE-121), CVE-2020-6989 The attacker may execute arbitrary codes or target the device to cause it to go out of service.
2 Use of a broken or risky cryptographic algorithm (CWE-327), CVE-2020-6987 / CNVD-2020-13511 Using a weak cryptographic algorithm may allow confidential information to be disclosed.
3 Use of a broken or risky cryptographic algorithm (CWE-327), CVE-2020-6987 / CNVD-2020-13511 Improper implementation of the cryptographic function may allow confidential information to be disclosed.
4 Use of a hard-coded cryptographic key (CWE-321), CVE-2020-6983 / CNVD-2020-13512 Using a hard-coded cryptographic key increases the possibility that confidential data can be recovered.
5 Use of a hard-coded password (CWE-798), CVE-2020-6895 / CNVD-2020-13513 A user with malicious intent may gain access to the system without proper authentication.
6 Weak password requirements (CWE-521), CVE-2020-6996 / CNVD-2020-13514 A user with malicious intent may try to retrieve credentials by using brute force.
7 Information exposure (CWE-200), CVE-2020-6993 / CNVD-2020-13507 A user with malicious intent could steal sensitive information by performing a zero-day attack.
AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
PT-7528 Series Firmware Version 4.0 or lower
PT-7828 Series Firmware Version 3.9 or lower

 

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
PT-7528 Series Please contact Moxa Technical Support for a security patch.

For vulnerabilities 2, 3, 4, and 5 we recommend that our customers apply the security patch and then Enable Account Login Failure Lockout functions to eliminate any potential risk.
PT-7828 Series Please contact Moxa Technical Support for a security patch.

For vulnerabilities 2, 3, 4, and 5 we recommend that our customers apply the security patch and then Enable Account Login Failure Lockout functions to eliminate any potential risk.

 

Acknowledgment:

We would like to express our appreciation to Ilya Karpov and Evgeniy Druzhinin of Rostelecom-Solar, and Georgy Zaytsev of Positive Technologies for reporting the vulnerabilities, working with us to help enhance the security of our products, and helping us provide a better service to our customers.

 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Sep 25, 2019

Relevant Products

PT-7528 Series · PT-7828 Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag