Details of VAR-201509-0215

ID

VAR-201509-0215

CVE

CVE-2015-6464

TITLE

Moxa EDS-405A and EDS-408A Managing switch firmware Web Vulnerabilities that bypass read-only protection mechanisms in the interface

Trust: 0.8

sources: JVNDB: JVNDB-2015-004692

DESCRIPTION

The administrative web interface on Moxa EDS-405A and EDS-408A switches with firmware before 3.6 allows remote authenticated users to bypass a read-only protection mechanism by using Firefox with a web-developer plugin. Moxa EDS-405A/EDS-408A is an Ethernet switch series. A privilege escalation vulnerability exists in the management web interface of Moxa EDS-405A/EDS-408A. This vulnerability can be exploited by attackers to bypass the authentication mechanism and enhance permissions. Moxa EDS-405A/EDS-408A Series Switches are prone to the following multiple security vulnerabilities: 1. A remote privilege-escalation vulnerability 2. A cross-site scripting vulnerability 3. A denial-of-service vulnerability Attackers can exploit these issues to cause a denial-of-service condition, gain elevated privileges or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks

Trust: 2.7

sources: NVD: CVE-2015-6464 // JVNDB: JVNDB-2015-004692 // CNVD: CNVD-2015-05848 // BID: 76612 // IVD: 769fda94-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-84425

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: 769fda94-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05848

AFFECTED PRODUCTS

vendor:	moxa	model:	eds-405a	scope:	lte	version:	3.4	Trust: 1.0
vendor:	moxa	model:	eds-408a	scope:	lte	version:	3.4	Trust: 1.0
vendor:	moxa	model:	eds-405a series	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	eds-405a series	scope:	lt	version:	3.6	Trust: 0.8
vendor:	moxa	model:	eds-408a series	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	eds-408a series	scope:	lt	version:	3.6	Trust: 0.8
vendor:	moxa	model:	eds-405a/eds-408a	scope:	-	version:	-	Trust: 0.6
vendor:	moxa	model:	eds-408a	scope:	eq	version:	3.4	Trust: 0.6
vendor:	moxa	model:	eds-405a	scope:	eq	version:	3.4	Trust: 0.6
vendor:	moxa	model:	eds-408a series build	scope:	eq	version:	3.414031419	Trust: 0.3
vendor:	moxa	model:	eds-405a series build	scope:	eq	version:	3.414031419	Trust: 0.3
vendor:	eds 405a	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	eds 408a	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 769fda94-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05848 // BID: 76612 // JVNDB: JVNDB-2015-004692 // CNNVD: CNNVD-201509-144 // NVD: CVE-2015-6464

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-6464
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-6464
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2015-05848
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201509-144
value:	HIGH
Trust: 0.6
IVD:	769fda94-2351-11e6-abef-000c29c66e3d
value:	HIGH
Trust: 0.2
VULHUB:	VHN-84425
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-6464
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-05848
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	769fda94-2351-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-84425
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:S/C:N/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	9.2
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 769fda94-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05848 // VULHUB: VHN-84425 // JVNDB: JVNDB-2015-004692 // CNNVD: CNNVD-201509-144 // NVD: CVE-2015-6464

PROBLEMTYPE DATA

problemtype:

NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2015-6464

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201509-144

TYPE

Unknown

Trust: 0.3

sources: BID: 76612

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004692

PATCH

title:	EDS-405A/408A シリーズ	url:	http://japan.moxa.com/product/EDS-408405A.htm	Trust: 0.8
title:	The Latest firmware for EDS-405A series	url:	http://www.moxa.com/support/download.aspx?type=support&id=328	Trust: 0.8
title:	Moxa Industrial Managed Switch privilege escalation vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/63688	Trust: 0.6

sources: CNVD: CNVD-2015-05848 // JVNDB: JVNDB-2015-004692

EXTERNAL IDS

db:	NVD	id:	CVE-2015-6464	Trust: 3.6
db:	ICS CERT	id:	ICSA-15-246-03	Trust: 3.4
db:	CNNVD	id:	CNNVD-201509-144	Trust: 0.9
db:	CNVD	id:	CNVD-2015-05848	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-004692	Trust: 0.8
db:	BID	id:	76612	Trust: 0.3
db:	IVD	id:	769FDA94-2351-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	VULHUB	id:	VHN-84425	Trust: 0.1

sources: IVD: 769fda94-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-05848 // VULHUB: VHN-84425 // BID: 76612 // JVNDB: JVNDB-2015-004692 // CNNVD: CNNVD-201509-144 // NVD: CVE-2015-6464

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-246-03	Trust: 3.4
url:	http://www.moxa.com/support/download.aspx?type=support&id=328	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6464	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6464	Trust: 0.8
url:	http://store.moxa.com/a/product/eds-405a-408a-series?id=m20090312047	Trust: 0.3
url:	http://www.moxa.com/support/download.aspx?type=support&id=328	Trust: 0.1

sources: CNVD: CNVD-2015-05848 // VULHUB: VHN-84425 // BID: 76612 // JVNDB: JVNDB-2015-004692 // CNNVD: CNNVD-201509-144 // NVD: CVE-2015-6464

CREDITS

Erwin Paternotte of Applied Risk

Trust: 0.3

sources: BID: 76612

SOURCES

db:	IVD	id:	769fda94-2351-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2015-05848
db:	VULHUB	id:	VHN-84425
db:	BID	id:	76612
db:	JVNDB	id:	JVNDB-2015-004692
db:	CNNVD	id:	CNNVD-201509-144
db:	NVD	id:	CVE-2015-6464

LAST UPDATE DATE

2024-11-23T21:54:50.974000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-05848	date:	2015-09-10T00:00:00
db:	VULHUB	id:	VHN-84425	date:	2015-09-14T00:00:00
db:	BID	id:	76612	date:	2015-09-03T00:00:00
db:	JVNDB	id:	JVNDB-2015-004692	date:	2015-09-15T00:00:00
db:	CNNVD	id:	CNNVD-201509-144	date:	2015-09-14T00:00:00
db:	NVD	id:	CVE-2015-6464	date:	2024-11-21T02:35:01.093

SOURCES RELEASE DATE

db:	IVD	id:	769fda94-2351-11e6-abef-000c29c66e3d	date:	2015-09-09T00:00:00
db:	CNVD	id:	CNVD-2015-05848	date:	2015-09-09T00:00:00
db:	VULHUB	id:	VHN-84425	date:	2015-09-11T00:00:00
db:	BID	id:	76612	date:	2015-09-03T00:00:00
db:	JVNDB	id:	JVNDB-2015-004692	date:	2015-09-15T00:00:00
db:	CNNVD	id:	CNNVD-201509-144	date:	2015-09-14T00:00:00
db:	NVD	id:	CVE-2015-6464	date:	2015-09-11T16:59:07.673