Sign-up

ID

VAR-201903-0176


CVE

CVE-2019-6520


TITLE

Moxa IKS and EDS Access control vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-002347

DESCRIPTION

Moxa IKS and EDS does not properly check authority on server side, which results in a read-only user being able to perform arbitrary configuration changes. Moxa IKS and EDS Contains an access control vulnerability.Information may be tampered with. MoxaIKS and EDS are Moxa's line of industrial switches. The vulnerability stems from the device failing to properly check permissions on the server side. An attacker could exploit this vulnerability to modify the configuration. A cross-site-scripting vulnerability 2. Multiple stack-based buffer-overflow vulnerabilities 3. A security vulnerability 4. An information disclosure vulnerability 5. A cross-site request-forgery vulnerability 6. Multiple denial-of-service vulnerabilities 7. A security-bypass vulnerability 8. An authentication bypass vulnerability An attacker may leverage these issues to view arbitrary files within the context of the web server, execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, compromise the application, access or modify data, reboot or crash of the application resulting in a denial of service condition, bypass security restrictions, or execute arbitrary code. This may lead to other vulnerabilities. The following Moxa products and versions are affected: IKS-G6824A series versions 4.5 and prior, EDS-405A series versions 3.8 and prior, EDS-408A series versions 3.8 and prior, and EDS-510A series versions 3.8 and prior. Moxa IKS-G6824A series are all products of Moxa Company in Taiwan, China. IKS-G6824A series is a series of rack-mount Ethernet switches. EDS-405A series is an EDS-405A series Ethernet switch. EDS-408A series is an EDS-408A series Ethernet switch

Trust: 2.79

sources: NVD: CVE-2019-6520 // JVNDB: JVNDB-2019-002347 // CNVD: CNVD-2019-06179 // BID: 107178 // IVD: 44ff4a4f-b858-48d2-8216-b32637775bf7 // VULHUB: VHN-157955 // VULMON: CVE-2019-6520

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 44ff4a4f-b858-48d2-8216-b32637775bf7 // CNVD: CNVD-2019-06179

AFFECTED PRODUCTS

vendor:moxamodel:iks-g6824ascope:lteversion:4.5

Trust: 1.0

vendor:moxamodel:eds-510ascope:lteversion:3.8

Trust: 1.0

vendor:moxamodel:eds-405ascope:lteversion:3.8

Trust: 1.0

vendor:moxamodel:eds-408ascope:lteversion:3.8

Trust: 1.0

vendor:moxamodel:eds-405a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:eds-408a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:eds-510a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:iks-g6824a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:iks-g6824ascope:lteversion:<=4.5

Trust: 0.6

vendor:moxamodel:eds-405ascope:lteversion:<=3.8

Trust: 0.6

vendor:moxamodel:eds-408ascope:lteversion:<=3.8

Trust: 0.6

vendor:moxamodel:eds-510ascope:lteversion:<=3.8

Trust: 0.6

vendor:moxamodel:iks-g6824ascope:eqversion:4.5

Trust: 0.3

vendor:moxamodel:eds-510ascope:eqversion:3.8

Trust: 0.3

vendor:moxamodel:eds-408ascope:eqversion:3.8

Trust: 0.3

vendor:moxamodel:eds-405ascope:eqversion:3.8

Trust: 0.3

vendor:iks g6824amodel: - scope:eqversion:*

Trust: 0.2

vendor:eds 405amodel: - scope:eqversion:*

Trust: 0.2

vendor:eds 408amodel: - scope:eqversion:*

Trust: 0.2

vendor:eds 510amodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: 44ff4a4f-b858-48d2-8216-b32637775bf7 // CNVD: CNVD-2019-06179 // BID: 107178 // JVNDB: JVNDB-2019-002347 // NVD: CVE-2019-6520

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-6520
value: HIGH

Trust: 1.0

NVD: CVE-2019-6520
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-06179
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201902-958
value: HIGH

Trust: 0.6

IVD: 44ff4a4f-b858-48d2-8216-b32637775bf7
value: HIGH

Trust: 0.2

VULHUB: VHN-157955
value: MEDIUM

Trust: 0.1

VULMON: CVE-2019-6520
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-6520
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-06179
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 44ff4a4f-b858-48d2-8216-b32637775bf7
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-157955
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-6520
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2019-6520
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: 44ff4a4f-b858-48d2-8216-b32637775bf7 // CNVD: CNVD-2019-06179 // VULHUB: VHN-157955 // VULMON: CVE-2019-6520 // JVNDB: JVNDB-2019-002347 // CNNVD: CNNVD-201902-958 // NVD: CVE-2019-6520

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.1

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-287

Trust: 0.8

sources: VULHUB: VHN-157955 // JVNDB: JVNDB-2019-002347 // NVD: CVE-2019-6520

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-958

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201902-958

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-002347

PATCH
title:Top Pageurl:https://www.moxa.com/
Trust: 0.8
title:MoxaIKS and EDS access patches for improper control of vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/155207
Trust: 0.6
title:Multiple Moxa Product access control error vulnerability fixesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=89674
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-06179 // 
            
            
            
            JVNDB: JVNDB-2019-002347 // 
            
            
            
            CNNVD: CNNVD-201902-958

EXTERNAL IDS
db:NVDid:CVE-2019-6520
Trust: 3.7
db:ICS CERTid:ICSA-19-057-01
Trust: 3.5
db:BIDid:107178
Trust: 2.1
db:CNNVDid:CNNVD-201902-958
Trust: 0.9
db:CNVDid:CNVD-2019-06179
Trust: 0.8
db:JVNDBid:JVNDB-2019-002347
Trust: 0.8
db:AUSCERTid:ESB-2019.0597
Trust: 0.6
db:IVDid:44FF4A4F-B858-48D2-8216-B32637775BF7
Trust: 0.2
db:VULHUBid:VHN-157955
Trust: 0.1
db:VULMONid:CVE-2019-6520
Trust: 0.1
sources:
            
            
            IVD: 44ff4a4f-b858-48d2-8216-b32637775bf7 // 
            
            
            
            CNVD: CNVD-2019-06179 // 
            
            
            
            VULHUB: VHN-157955 // 
            
            
            
            VULMON: CVE-2019-6520 // 
            
            
            
            BID: 107178 // 
            
            
            
            JVNDB: JVNDB-2019-002347 // 
            
            
            
            CNNVD: CNNVD-201902-958 // 
            
            
            
            NVD: CVE-2019-6520

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-19-057-01
Trust: 3.6
url:http://www.securityfocus.com/bid/107178
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2019-6520
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6520
Trust: 0.8
url:https://www.us-cert.gov/ics/advisories/icsa-19-057-01
Trust: 0.6
url:https://www.auscert.org.au/bulletins/76138
Trust: 0.6
url:http://www.moxastore.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-06179 // 
            
            
            
            VULHUB: VHN-157955 // 
            
            
            
            VULMON: CVE-2019-6520 // 
            
            
            
            BID: 107178 // 
            
            
            
            JVNDB: JVNDB-2019-002347 // 
            
            
            
            CNNVD: CNNVD-201902-958 // 
            
            
            
            NVD: CVE-2019-6520

CREDITS
Ivan B, Sergey Fedonin, and Vyacheslav Moskvin of Positive Technologies Security reported these vulnerabilities to NCCIC.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201902-958

SOURCES
db:IVDid:44ff4a4f-b858-48d2-8216-b32637775bf7
db:CNVDid:CNVD-2019-06179
db:VULHUBid:VHN-157955
db:VULMONid:CVE-2019-6520
db:BIDid:107178
db:JVNDBid:JVNDB-2019-002347
db:CNNVDid:CNNVD-201902-958
db:NVDid:CVE-2019-6520

LAST UPDATE DATE
2024-11-23T21:52:28.487000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-06179date:2019-03-05T00:00:00
db:VULHUBid:VHN-157955date:2020-10-19T00:00:00
db:VULMONid:CVE-2019-6520date:2020-10-19T00:00:00
db:BIDid:107178date:2019-02-26T00:00:00
db:JVNDBid:JVNDB-2019-002347date:2019-04-08T00:00:00
db:CNNVDid:CNNVD-201902-958date:2020-10-27T00:00:00
db:NVDid:CVE-2019-6520date:2024-11-21T04:46:37.030

SOURCES RELEASE DATE
db:IVDid:44ff4a4f-b858-48d2-8216-b32637775bf7date:2019-03-05T00:00:00
db:CNVDid:CNVD-2019-06179date:2019-03-05T00:00:00
db:VULHUBid:VHN-157955date:2019-03-05T00:00:00
db:VULMONid:CVE-2019-6520date:2019-03-05T00:00:00
db:BIDid:107178date:2019-02-26T00:00:00
db:JVNDBid:JVNDB-2019-002347date:2019-04-08T00:00:00
db:CNNVDid:CNNVD-201902-958date:2019-02-26T00:00:00
db:NVDid:CVE-2019-6520date:2019-03-05T20:29:00.297