Affected Products:
The affected products and firmware versions are shown below.
Product Series |
Affected Versions |
PT-G503 Series |
Firmware version 5.2 and prior. |
PT-7728 Series |
Firmware version 3.8 and prior. |
PT-7828 Series |
Firmware version 3.10 and prior. |
Solutions:
For CVE-2005-4900, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, and CVE-2020-11023, Moxa has developed appropriate solutions to address the vulnerabilities by updating the jQuery version and removing weak cipher suites. The solutions for affected products are shown below.
Mitigation
The risk levels of CVE-2023-4217 and CVE-2023-5035 are low, and it’s hard to forbidden HTTP connections because HTTP is still required in certain legacy application scenarios. To mitigate these vulnerabilities, users should carefully use HTTP if necessary, and could try to replace HTTP by HTTPS when using the web service. Additionally, refer to the following mitigation measures to deploy the product in an appropriate product security context.
Moxa recommends users follow CISA recommendations.
-
Reduce network exposure by ensuring that all control system devices and systems are not accessible from the Internet.
-
Place control system networks and remote devices behind firewalls, isolating them from business networks.
-
When remote access is necessary, employ secure methods such as Virtual Private Networks (VPNs). It is important to note that VPNs may have vulnerabilities and should be kept up to date with the latest available version. Remember that the security of a VPN depends on the security of its connected devices.
Revision History:
VERSION |
DESCRIPTION |
RELEASE DATE |
1.0 |
First Release |
Nov 2, 2023 |
1.1 |
Add PT-7728 and PT-7828 Series in Affected Products and Solutions sections |
Jan 5, 2024 |