Product support

Security Advisories

SUMMARY

NPort IAW5000A-I/O Series Serial Device Server Vulnerabilities

  • Version: V1.0
  • Release Date: May 27, 2021
  • Reference:
    • BDU:2021-02699, BDU:2021-02700, BDU:2021-02701, BDU:2021-02702, BDU:2021-02703, BDU:2021-02704, BDU:2021-02705,BDU:2021-02706, BDU:2021-02707, BDU:2021-02708

Multiple product vulnerabilities were identified in Moxa’s NPort IAW5000A-I/O Series Wireless Device Server. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1 Buffer Overflow (CWE-120)
BDU:2021-02699, BDU:2021-02702
A buffer overflow in the built-in web server allows remote attackers to initiate a DoS attack.
2 Stack-Based Buffer Overflow (CWE-121)
BDU:2021-02700, BDU:2021-02701, BDU:2021-02703, BDU:2021-02704, BDU:2021-02708
A buffer overflow in the built-in web server allows remote attackers to initiate a DoS attack and execute arbitrary code (RCE).
3 Improper Input Validation (CWE-20)
BDU:2021-02705, BDU:2021-02706
Data can be copied without validation in the built-in web server, which allows remote attackers to initiate a DoS attack.
4 OS Command Injection (CWE-78)
BDU:2021-02707
Improper input validation in the built-in web server allows remote attackers to execute the OS command.
AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
NPort IAW5000A-I/O Series Firmware Version 2.2 or lower

 

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
NPort IAW5000A-I/O Series Please contact Moxa Technical Support for a security patch.

Acknowledgment:

We would like to express our appreciation to Konstantin Kondratev, Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar for reporting the vulnerabilities, working with us to help enhance the security of our products, and helping us provide a better service to our customers.
 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release May 27, 2021

Relevant Products

NPort IAW5000A-I/O Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
Feedback