As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

Product support

Security Advisories

SUMMARY

TN-5900 Series Affected by Multiple OpenSSL Vulnerabilities

This security advisory addresses multiple OpenSSL vulnerabilities affecting the TN-5900 Series, specifically CVE-2022-4304, CVE-2023-0215, and CVE-2023-0286. These vulnerabilities pose significant security risks, including potential plaintext recovery through timing-based side-channel attacks, improper memory management leading to memory corruption, and type confusion vulnerabilities that could allow unauthorized memory access or denial of service attacks.


The Identified Vulnerability Type and Potential Impact

Item Vulnerability Type Impact
1
Observable Discrepancy (CWE-203)
CVE-2022-4304
After a sufficiently large number of messages, the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
2

Use After Free (CWE-416)

CVE-2023-0215
If the caller then calls BIO_pop() on the BIO, a use-after-free will occur. This will most likely result in a crash.
3

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

CVE-2023-0286
This vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service.

Vulnerability Scoring Details 

ID

Base

Score

CVSS:3.1 Vector
Severity

Unauthenticated

Remote Exploit

CVE-2022-4304

5.9

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Medium Yes
CVE-2023-0215 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H High Yes
CVE-2023-0286 7.4 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H High Yes
AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are listed below.

Product Series Affected Versions
TN-5900 Series Firmware version 3.4 and earlier versions

 

Solutions:

Moxa has developed appropriate solutions to address vulnerability. The solutions for affected products are listed below.

Product Series Solutions
TN-5900 Series Upgrade to the firmware version 4.0

 

Mitigation:

  • Minimize network exposure to ensure the device is not accessible from the Internet.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs).
  • Implement IDS or Intrusion Prevention System (IPS) to detect and prevent exploitation attempts. These systems can provide an additional layer of defense by monitoring network traffic for signs of attacks.

 

Products That Are Not Vulnerable

Only the products listed in the Affected Products section of this advisory are known to be affected by these vulnerabilities. Moxa has confirmed that this vulnerability does not affect the following products:

  • TN-4900 Series
  • TN-4500A Series, TN-5500A Series

 

Revision History

VERSION DESCRIPTION RELEASE DATE
1.0 First Release October 4, 2024

Relevant Products

TN-5900 Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
You have some items waiting in your bag; click here to finish your quote!
Feedback