Vulnerability CVE-2016-8363


Published: 2017-02-13

Description:
An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series, AWK-3131/4131 Series, and AWK-5222/6222 Series. User is able to execute arbitrary OS commands on the server.

Vendor: MOXA
Product: Awk-3131a firmware 
Version: 10-31-2016;
Product: Awk-4131a firmware 
Version: 10-31-2016;
Product: Oncellg3470a-lte firmware 
Version: 10-31-2016;
Product: Awk-1131a firmware 
Version: 10-31-2016;
Product: Wac-2004 firmware 
Version: 06-29-2017;
Product: Awk-5232-m12-rcc firmware 
Version: 06-29-2017;
Product: Awk-3131-m12-rcc firmware 
Version: 06-29-2017;
Product: Awk-1121 firmware 
Version: 06-29-2017;
Product: Awk-3121-m12-rtg firmware 
Version: 06-29-2017;
Product: Awk-1127 firmware 
Version: 06-29-2017;
Product: Wac-1001 v2 firmware 
Version: 06-29-2017;
Product: Awk-5232 firmware 
Version: 05-30-2017;
Product: Awk-3191 firmware 
Version: 05-30-2017;
Product: Awk-6232 firmware 
Version: 05-30-2017;

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.securityfocus.com/bid/94092
https://ics-cert.us-cert.gov/advisories/ICSA-16-308-01

Related CVE
CVE-2019-10969
Moxa EDR 810, all versions 5.1 and prior, allows an authenticated attacker to abuse the ping feature to execute unauthorized commands on the router, which may allow an attacker to perform remote code execution.
CVE-2018-11425
Memory corruption issue was discovered in Moxa OnCell G3470A-LTE Series version 1.6 Build 18021314 and prior, a different vulnerability than CVE-2018-11424.
CVE-2018-11424
There is Memory corruption in the web interface of Moxa OnCell G3470A-LTE Series version 1.6 Build 18021314 and prior, a different vulnerability than CVE-2018-11425.
CVE-2018-11423
There is Memory corruption in the web interface Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior, different vulnerability than CVE-2018-11420.
CVE-2018-11422
Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary configuration protocol that does not provide confidentiality, integrity, and authenticity security controls. All information is sent in plain text, and can be interc...
CVE-2018-11421
Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and prior use a proprietary monitoring protocol that does not provide confidentiality, integrity, and authenticity security controls. All information is sent in plain text, and can be intercept...
CVE-2018-11420
There is Memory corruption in the web interface of Moxa OnCell G3100-HSPA Series version 1.5 Build 17042015 and prio,r a different vulnerability than CVE-2018-11423.
CVE-2018-11427
CSRF tokens are not used in the web application of Moxa OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior, which makes it possible to perform CSRF attacks on the device administrator.

Copyright 2019, cxsecurity.com

 

Back to Top