Sign-up

ID

VAR-201903-0183


CVE

CVE-2019-6557


TITLE

Moxa IKS and EDS Buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-002198

DESCRIPTION

Several buffer overflow vulnerabilities have been identified in Moxa IKS and EDS, which may allow remote code execution. Moxa IKS and EDS Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MoxaIKS and EDS are Moxa's line of industrial switches. A buffer overflow vulnerability exists in the MoxaIKS and EDS families. An attacker could exploit this vulnerability for remote code execution. A cross-site-scripting vulnerability 2. Multiple stack-based buffer-overflow vulnerabilities 3. A security vulnerability 4. An information disclosure vulnerability 5. A cross-site request-forgery vulnerability 6. Multiple denial-of-service vulnerabilities 7. A security-bypass vulnerability 8. An authentication bypass vulnerability An attacker may leverage these issues to view arbitrary files within the context of the web server, execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, gain access to sensitive information, compromise the application, access or modify data, reboot or crash of the application resulting in a denial of service condition, bypass security restrictions, or execute arbitrary code. This may lead to other vulnerabilities. The following Moxa products and versions are affected: IKS-G6824A series versions 4.5 and prior, EDS-405A series versions 3.8 and prior, EDS-408A series versions 3.8 and prior, and EDS-510A series versions 3.8 and prior. Moxa IKS-G6824A series are all products of Moxa Company in Taiwan, China. IKS-G6824A series is a series of rack-mount Ethernet switches. EDS-405A series is an EDS-405A series Ethernet switch. EDS-408A series is an EDS-408A series Ethernet switch

Trust: 2.79

sources: NVD: CVE-2019-6557 // JVNDB: JVNDB-2019-002198 // CNVD: CNVD-2019-06175 // BID: 107178 // IVD: d8b199a7-2e07-425c-bcc8-cf8073155286 // VULHUB: VHN-157992 // VULMON: CVE-2019-6557

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: d8b199a7-2e07-425c-bcc8-cf8073155286 // CNVD: CNVD-2019-06175

AFFECTED PRODUCTS

vendor:moxamodel:eds-405ascope:lteversion:3.8

Trust: 1.0

vendor:moxamodel:eds-408ascope:lteversion:3.8

Trust: 1.0

vendor:moxamodel:iks-g6824ascope:lteversion:4.5

Trust: 1.0

vendor:moxamodel:eds-510ascope:lteversion:3.8

Trust: 1.0

vendor:moxamodel:eds-405a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:eds-408a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:eds-510a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:iks-g6824a seriesscope: - version: -

Trust: 0.8

vendor:moxamodel:iks-g6824ascope:lteversion:<=4.5

Trust: 0.6

vendor:moxamodel:eds-405ascope:lteversion:<=3.8

Trust: 0.6

vendor:moxamodel:eds-408ascope:lteversion:<=3.8

Trust: 0.6

vendor:moxamodel:eds-510ascope:lteversion:<=3.8

Trust: 0.6

vendor:moxamodel:iks-g6824ascope:eqversion:4.5

Trust: 0.3

vendor:moxamodel:eds-510ascope:eqversion:3.8

Trust: 0.3

vendor:moxamodel:eds-408ascope:eqversion:3.8

Trust: 0.3

vendor:moxamodel:eds-405ascope:eqversion:3.8

Trust: 0.3

vendor:iks g6824amodel: - scope:eqversion:*

Trust: 0.2

vendor:eds 405amodel: - scope:eqversion:*

Trust: 0.2

vendor:eds 408amodel: - scope:eqversion:*

Trust: 0.2

vendor:eds 510amodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: d8b199a7-2e07-425c-bcc8-cf8073155286 // CNVD: CNVD-2019-06175 // BID: 107178 // JVNDB: JVNDB-2019-002198 // NVD: CVE-2019-6557

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-6557
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-6557
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2019-06175
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201902-967
value: CRITICAL

Trust: 0.6

IVD: d8b199a7-2e07-425c-bcc8-cf8073155286
value: CRITICAL

Trust: 0.2

VULHUB: VHN-157992
value: HIGH

Trust: 0.1

VULMON: CVE-2019-6557
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-6557
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-06175
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: d8b199a7-2e07-425c-bcc8-cf8073155286
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-157992
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-6557
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-6557
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: IVD: d8b199a7-2e07-425c-bcc8-cf8073155286 // CNVD: CNVD-2019-06175 // VULHUB: VHN-157992 // VULMON: CVE-2019-6557 // JVNDB: JVNDB-2019-002198 // CNNVD: CNNVD-201902-967 // NVD: CVE-2019-6557

PROBLEMTYPE DATA

problemtype:CWE-120

Trust: 1.1

problemtype:CWE-119

Trust: 0.9

sources: VULHUB: VHN-157992 // JVNDB: JVNDB-2019-002198 // NVD: CVE-2019-6557

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201902-967

TYPE

Buffer error

Trust: 0.8

sources: IVD: d8b199a7-2e07-425c-bcc8-cf8073155286 // CNNVD: CNNVD-201902-967

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-002198

PATCH
title:Top Pageurl:https://www.moxa.com/en/
Trust: 0.8
title:Patch for MoxaIKS and EDS Buffer Overflow Vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/155223
Trust: 0.6
title:Multiple Moxa Product Buffer Error Vulnerability Fixurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=89680
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-06175 // 
            
            
            
            JVNDB: JVNDB-2019-002198 // 
            
            
            
            CNNVD: CNNVD-201902-967

EXTERNAL IDS
db:NVDid:CVE-2019-6557
Trust: 3.7
db:ICS CERTid:ICSA-19-057-01
Trust: 3.5
db:BIDid:107178
Trust: 2.1
db:CNNVDid:CNNVD-201902-967
Trust: 0.9
db:CNVDid:CNVD-2019-06175
Trust: 0.8
db:JVNDBid:JVNDB-2019-002198
Trust: 0.8
db:AUSCERTid:ESB-2019.0597
Trust: 0.6
db:IVDid:D8B199A7-2E07-425C-BCC8-CF8073155286
Trust: 0.2
db:VULHUBid:VHN-157992
Trust: 0.1
db:VULMONid:CVE-2019-6557
Trust: 0.1
sources:
            
            
            IVD: d8b199a7-2e07-425c-bcc8-cf8073155286 // 
            
            
            
            CNVD: CNVD-2019-06175 // 
            
            
            
            VULHUB: VHN-157992 // 
            
            
            
            VULMON: CVE-2019-6557 // 
            
            
            
            BID: 107178 // 
            
            
            
            JVNDB: JVNDB-2019-002198 // 
            
            
            
            CNNVD: CNNVD-201902-967 // 
            
            
            
            NVD: CVE-2019-6557

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-19-057-01
Trust: 3.6
url:http://www.securityfocus.com/bid/107178
Trust: 2.5
url:https://nvd.nist.gov/vuln/detail/cve-2019-6557
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6557
Trust: 0.8
url:https://www.us-cert.gov/ics/advisories/icsa-19-057-01
Trust: 0.6
url:https://www.auscert.org.au/bulletins/76138
Trust: 0.6
url:http://www.moxastore.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/119.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2019-06175 // 
            
            
            
            VULHUB: VHN-157992 // 
            
            
            
            VULMON: CVE-2019-6557 // 
            
            
            
            BID: 107178 // 
            
            
            
            JVNDB: JVNDB-2019-002198 // 
            
            
            
            CNNVD: CNNVD-201902-967 // 
            
            
            
            NVD: CVE-2019-6557

CREDITS
Ivan B, Sergey Fedonin, and Vyacheslav Moskvin of Positive Technologies Security reported these vulnerabilities to NCCIC.
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201902-967

SOURCES
db:IVDid:d8b199a7-2e07-425c-bcc8-cf8073155286
db:CNVDid:CNVD-2019-06175
db:VULHUBid:VHN-157992
db:VULMONid:CVE-2019-6557
db:BIDid:107178
db:JVNDBid:JVNDB-2019-002198
db:CNNVDid:CNNVD-201902-967
db:NVDid:CVE-2019-6557

LAST UPDATE DATE
2024-08-14T13:26:55.888000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-06175date:2019-03-05T00:00:00
db:VULHUBid:VHN-157992date:2022-11-30T00:00:00
db:VULMONid:CVE-2019-6557date:2019-10-09T00:00:00
db:BIDid:107178date:2019-02-26T00:00:00
db:JVNDBid:JVNDB-2019-002198date:2019-04-04T00:00:00
db:CNNVDid:CNNVD-201902-967date:2022-12-01T00:00:00
db:NVDid:CVE-2019-6557date:2022-11-30T22:13:52.450

SOURCES RELEASE DATE
db:IVDid:d8b199a7-2e07-425c-bcc8-cf8073155286date:2019-03-05T00:00:00
db:CNVDid:CNVD-2019-06175date:2019-03-05T00:00:00
db:VULHUBid:VHN-157992date:2019-03-05T00:00:00
db:VULMONid:CVE-2019-6557date:2019-03-05T00:00:00
db:BIDid:107178date:2019-02-26T00:00:00
db:JVNDBid:JVNDB-2019-002198date:2019-04-04T00:00:00
db:CNNVDid:CNNVD-201902-967date:2019-02-26T00:00:00
db:NVDid:CVE-2019-6557date:2019-03-05T20:29:00.437