Product support

Security Advisories

SUMMARY

AWK-3121 Series Industrial AP/Bridge/Client Vulnerabilities

  • Version: V1.0
  • Release Date: Dec 02, 2019
  • Reference:
    • CVE-2018-10690, CVE-2018-10691, CVE-2018-10692, CVE-2018-10693, CVE-2018-10694, CVE-2018-10695, CVE-2018-10696, CVE-2018-10697, CVE-2018-10698, CVE-2018-10699, CVE-2018-10700, CVE-2018-10701, CVE-2018-10702, CVE-2018-10703

Multiple product vulnerabilities were identified in Moxa’s AWK-3121 Series. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1 Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
CVE-2018-10697, CVE-2018-10699
Multiple parameters are susceptible to command injection
2 Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
CVE-2018-10702
Specified parameter is susceptible to command injection via shell metacharacters
3 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
CVE-2018-10692
Vulnerable to cross-site scripting attack to steal the cookie
4 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
CVE-2018-10700
Specified parameter is susceptible to XSS payload injection
5 Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119)
CVE-2018-10693, CVE-2018-10695, CVE-2018-10701, and CVE-2018-10703
Multiple parameters are susceptible to buffer overflow
6 Credentials Management (CWE-255) CVE-2018-10690 The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server
7 Credentials Management (CWE-255) CVE-2018-10694 The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default
8 Credentials Management (CWE-255) CVE-2018-10698 The device enables an unencrypted TELNET service by default
9 Improper Access Control (CWE-284) CVE-2018-10691 Vulnerable to unauthorized systemlog.log download
10 Cross-Site Request Forgery (CSRF) (CWE-352) CVE-2018-10696 Web interface is not protected against CSRF attacks
AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
AWK-3121 Series Firmware Version 1.14 or lower

 

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
AWK-3121 Series This product has been phased out, please contact Moxa Technical Support for assistance.

 

Acknowledgment:

We would like to express our appreciation to Samuel Huntley for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.
 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Dec 02, 2018

Relevant Products

AWK-3121 Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag