Sign-up

ID

VAR-201903-0174


CVE

CVE-2019-6518


TITLE

Moxa IKS and EDS Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2019-002364

DESCRIPTION

Moxa IKS and EDS store plaintext passwords, which may allow sensitive information to be read by someone with access to the device. Moxa IKS and EDS Contains an information disclosure vulnerability.Information may be obtained. MoxaIKS and EDS are Moxa's line of industrial switches. There are plaintext password storage vulnerabilities in MoxaIKS and EDS series. The vulnerability stems from the program storing passwords in clear text. An attacker could exploit this vulnerability to read sensitive information. A cross-site-scripting vulnerability 2. Multiple stack-based buffer-overflow vulnerabilities 3. A security vulnerability 4. A cross-site request-forgery vulnerability 6. Multiple denial-of-service vulnerabilities 7. A security-bypass vulnerability 8. An authentication bypass vulnerability An attacker may leverage these issues to view arbitrary files within the context of the web server, execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, compromise the application, access or modify data, reboot or crash of the application resulting in a denial of service condition, bypass security restrictions, or execute arbitrary code. This may lead to other vulnerabilities. The following Moxa products and versions are affected: IKS-G6824A series versions 4.5 and prior, EDS-405A series versions 3.8 and prior, EDS-408A series versions 3.8 and prior, and EDS-510A series versions 3.8 and prior. Moxa IKS-G6824A series are all products of Moxa Company in Taiwan, China. IKS-G6824A series is a series of rack-mount Ethernet switches. EDS-405A series is an EDS-405A series Ethernet switch. EDS-408A series is an EDS-408A series Ethernet switch

Trust: 2.79

sources: NVD: CVE-2019-6518 // JVNDB: JVNDB-2019-002364 // CNVD: CNVD-2019-06057 // BID: 107178 // IVD: 40881acb-846b-4c5b-831c-2d62dd81f1df // VULHUB: VHN-157953 // VULMON: CVE-2019-6518

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 40881acb-846b-4c5b-831c-2d62dd81f1df // CNVD: CNVD-2019-06057

AFFECTED PRODUCTS

vendor:moxamodel:iks-g6824ascope:lteversion:4.5

Trust: 1.0

vendor:moxamodel:eds-510ascope:lteversion:3.8

Trust: 1.0

vendor:moxamodel:eds-405ascope:lteversion:3.8

Trust: 1.0

vendor:moxamodel:eds-408ascope:lteversion:3.8

Trust: 1.0

vendor:moxamodel:eds-405a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:eds-408a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:eds-510a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:iks-g6824a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:iks-g6824ascope:lteversion:<=4.5

Trust: 0.6

vendor:moxamodel:eds-405ascope:lteversion:<=3.8

Trust: 0.6

vendor:moxamodel:eds-408ascope:lteversion:<=3.8

Trust: 0.6

vendor:moxamodel:eds-510ascope:lteversion:<=3.8

Trust: 0.6

vendor:moxamodel:iks-g6824ascope:eqversion:4.5

Trust: 0.3

vendor:moxamodel:eds-510ascope:eqversion:3.8

Trust: 0.3

vendor:moxamodel:eds-408ascope:eqversion:3.8

Trust: 0.3

vendor:moxamodel:eds-405ascope:eqversion:3.8

Trust: 0.3

vendor:iks g6824amodel: - scope:eqversion:*

Trust: 0.2

vendor:eds 405amodel: - scope:eqversion:*

Trust: 0.2

vendor:eds 408amodel: - scope:eqversion:*

Trust: 0.2

vendor:eds 510amodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 40881acb-846b-4c5b-831c-2d62dd81f1df // CNVD: CNVD-2019-06057 // BID: 107178 // JVNDB: JVNDB-2019-002364 // NVD: CVE-2019-6518

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-6518
value: HIGH

Trust: 1.0

NVD: CVE-2019-6518
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-06057
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201902-946
value: HIGH

Trust: 0.6

IVD: 40881acb-846b-4c5b-831c-2d62dd81f1df
value: HIGH

Trust: 0.2

VULHUB: VHN-157953
value: MEDIUM

Trust: 0.1

VULMON: CVE-2019-6518
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-6518
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-06057
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 40881acb-846b-4c5b-831c-2d62dd81f1df
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-157953
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-6518
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2019-6518
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 40881acb-846b-4c5b-831c-2d62dd81f1df // CNVD: CNVD-2019-06057 // VULHUB: VHN-157953 // VULMON: CVE-2019-6518 // JVNDB: JVNDB-2019-002364 // CNNVD: CNNVD-201902-946 // NVD: CVE-2019-6518

PROBLEMTYPE DATA

problemtype:CWE-311

Trust: 1.1

problemtype:CWE-256

Trust: 1.0

problemtype:CWE-200

Trust: 0.9

sources: VULHUB: VHN-157953 // JVNDB: JVNDB-2019-002364 // NVD: CVE-2019-6518

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-946

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201902-946

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-002364

PATCH
title:Top Pageurl:https://www.moxa.com/en/
Trust: 0.8
title:Patch for MoxaIKS and EDS plaintext password storage vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/155119
Trust: 0.6
title:Multiple Moxa Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89664
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-06057 // 
            
            
            
            JVNDB: JVNDB-2019-002364 // 
            
            
            
            CNNVD: CNNVD-201902-946

EXTERNAL IDS
db:NVDid:CVE-2019-6518
Trust: 3.7
db:ICS CERTid:ICSA-19-057-01
Trust: 3.5
db:BIDid:107178
Trust: 2.1
db:CNNVDid:CNNVD-201902-946
Trust: 0.9
db:CNVDid:CNVD-2019-06057
Trust: 0.8
db:JVNDBid:JVNDB-2019-002364
Trust: 0.8
db:AUSCERTid:ESB-2019.0597
Trust: 0.6
db:IVDid:40881ACB-846B-4C5B-831C-2D62DD81F1DF
Trust: 0.2
db:VULHUBid:VHN-157953
Trust: 0.1
db:VULMONid:CVE-2019-6518
Trust: 0.1
sources:
            
            
            IVD: 40881acb-846b-4c5b-831c-2d62dd81f1df // 
            
            
            
            CNVD: CNVD-2019-06057 // 
            
            
            
            VULHUB: VHN-157953 // 
            
            
            
            VULMON: CVE-2019-6518 // 
            
            
            
            BID: 107178 // 
            
            
            
            JVNDB: JVNDB-2019-002364 // 
            
            
            
            CNNVD: CNNVD-201902-946 // 
            
            
            
            NVD: CVE-2019-6518

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-19-057-01
Trust: 3.6
url:http://www.securityfocus.com/bid/107178
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2019-6518
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6518
Trust: 0.8
url:https://www.us-cert.gov/ics/advisories/icsa-19-057-01
Trust: 0.6
url:https://www.auscert.org.au/bulletins/76138
Trust: 0.6
url:http://www.moxastore.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/311.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-06057 // 
            
            
            
            VULHUB: VHN-157953 // 
            
            
            
            VULMON: CVE-2019-6518 // 
            
            
            
            BID: 107178 // 
            
            
            
            JVNDB: JVNDB-2019-002364 // 
            
            
            
            CNNVD: CNNVD-201902-946 // 
            
            
            
            NVD: CVE-2019-6518

CREDITS
Ivan B, Sergey Fedonin, and Vyacheslav Moskvin of Positive Technologies Security reported these vulnerabilities to NCCIC.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201902-946

SOURCES
db:IVDid:40881acb-846b-4c5b-831c-2d62dd81f1df
db:CNVDid:CNVD-2019-06057
db:VULHUBid:VHN-157953
db:VULMONid:CVE-2019-6518
db:BIDid:107178
db:JVNDBid:JVNDB-2019-002364
db:CNNVDid:CNNVD-201902-946
db:NVDid:CVE-2019-6518

LAST UPDATE DATE
2024-11-23T21:52:28.444000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-06057date:2019-03-04T00:00:00
db:VULHUBid:VHN-157953date:2020-10-19T00:00:00
db:VULMONid:CVE-2019-6518date:2020-10-19T00:00:00
db:BIDid:107178date:2019-02-26T00:00:00
db:JVNDBid:JVNDB-2019-002364date:2019-04-08T00:00:00
db:CNNVDid:CNNVD-201902-946date:2020-10-20T00:00:00
db:NVDid:CVE-2019-6518date:2024-11-21T04:46:36.780

SOURCES RELEASE DATE
db:IVDid:40881acb-846b-4c5b-831c-2d62dd81f1dfdate:2019-03-04T00:00:00
db:CNVDid:CNVD-2019-06057date:2019-03-04T00:00:00
db:VULHUBid:VHN-157953date:2019-03-05T00:00:00
db:VULMONid:CVE-2019-6518date:2019-03-05T00:00:00
db:BIDid:107178date:2019-02-26T00:00:00
db:JVNDBid:JVNDB-2019-002364date:2019-04-08T00:00:00
db:CNNVDid:CNNVD-201902-946date:2019-02-26T00:00:00
db:NVDid:CVE-2019-6518date:2019-03-05T20:29:00.263