As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.

Product support

Security Advisories

SUMMARY

EDS-G516E and EDS-510E Series Ethernet Switches Vulnerabilities

  • Security Advisory ID: MPSA-190901
  • Version: V1.0
  • Release Date: Sep 25, 2019
  • Reference:
    • CVE-2020-7007, CVE-2020-7001, CVE-2020-6979, CVE-2020-6981, CVE-2020-6999, CVE-2020-6997, CVE-2020-6991

Multiple product vulnerabilities were identified in Moxa’s EDS-G516E and EDS-510E Series Ethernet Switches. In response to this, Moxa has developed related solutions to address these vulnerabilities.

The identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1

Stack-based buffer overflow (CWE-121), CVE-2020-7007

  1. The attacker may execute arbitrary codes or target the device to cause it to go out of service.
  2. The attacker may cause the target device to go out of service, or to execute arbitrary codes. The web setting page IEEE802.1x setting page is where the vulnerabilities found.
2 Use of a broken or risky cryptographic algorithm (CWE-327), CVE-2020-7001
  1. Using a weak cryptographic algorithm may allow confidential information to be disclosed.
  2. Improper implementation of the cryptographic function may allow confidential information to be disclosed.
3 Use of a hard-coded cryptographic key (CWE-321), CVE-2020-6979 Using a hard-coded cryptographic key may increase the possibility that confidential data can be recovered.
4 Use of a hard-coded password (CWE-798), CVE-2020-6981 A user with malicious intent may gain access to the system without proper authentication.
5 Buffer Copy without Checking Size of Input (CWE-120), CVE-2020-6999
  1. To exploit this vulnerability, the attacker may cause the target device to go out of service. Some of the parameters in the syslog setting page do not ensure that the length of the text is not too long.
  2. To exploit this vulnerability, the attacker may cause the target device to go out of service. Some of the parameters in the DHCP setting page do not ensure that the length of the text is not too long.
  3. To exploit this vulnerability, the attacker may cause the target device to go out of service. Some of the parameters in the PTP setting page do not ensure that the length of the text is not too long.
6 User credentials are sent in clear text (CWE-319), CVE-2020-6997 To exploit this vulnerability, the attacker may intercept the information from the clear text communication.
7 Weak password requirements (CWE-521), CVE-2020-6991 A user with malicious intent may try to retrieve credentials by using brute force.
AFFECTED PRODUCTS AND SOLUTIONS

Affected Products:

The affected products and firmware versions are shown below.

Product Series Affected Versions
EDS-G516E Series Firmware Version 5.2 or lower
EDS-510E Series Firmware Version 5.2 or lower

 

Solutions:

Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.

Product Series Solutions
EDS-G516E Series Please download the new firmware/software here.

For vulnerabilities 2, and 3 Moxa recommends our customers enable Password on configuration file from Configuration File Encryption Setting to eliminate the potential risk.

For vulnerability 6, Moxa recommends our customers enable HTTPS from the Management Interface Setting.

For vulnerability 7, Moxa recommends our customers enable Account Login Failure Lockout functions eliminate the potential risk.

 
EDS-510E Series For vulnerability 1, 4 and 5, please contact Moxa Technical Support for assistance.

For vulnerabilities 2 and 3, Moxa recommends our customers enable Password on configuration file from Configuration File Encryption Setting to eliminate the potential risk.

For vulnerability 6, Moxa recommends our customers enable HTTPS from the Management Interface Setting.

For vulnerability 7, Moxa recommends our customers enable Account Login Failure Lockout functions eliminate the potential risk.

 

Acknowledgment:

We would like to express our appreciation to Ilya Karpov and Evgeniy Druzhinin of Rostelecom-Solar, and Georgy Zaytsev of Positive Technologies for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.

 

Revision History:

VERSION DESCRIPTION RELEASE DATE
1.0 First Release Sep 25, 2019

Relevant Products

EDS-510E Series · EDS-G516E Series ·

  •   Print this page
  • You can manage and share your saved list in My Moxa
Let’s get that fixed

If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.

Report a Vulnerability
Added To Bag
You have some items waiting in your bag; click here to finish your quote!
Feedback