Hi! Please sign in Home >  Support > Technical FAQs

Technical FAQs
Question ThingsPro IIoT Gateway and Device Management Software Solution Vulnerabilities
Question Type Security Advisory
Updated 10/19/2018 4:27:42 PM
Hits 1
Products ThingsPro® Gateway for AWS IoT,ThingsPro Gateway for Google Cloud IoT
Suggestions

Summary

Version: 1.0

Multiple product vulnerabilities were identified on Moxa’s ThingsPro Edition 2.1. As a result of this, Moxa has developed related solutions to address the vulnerabilities.

The Identified vulnerability types and potential impacts are shown below:

Item Vulnerability Type Impact
1 User enumeration A remote attacker can find valid users in web applications and use brute force to exploit this vulnerability to find the corresponding password.
2 User privilege escalation The exploitation of this vulnerability allows the remote attacker to gain more privileges.
3 Broken access control The exploitation of this vulnerability allows the remote attacker to gain more privileges.
4 The server does not require the old password when changing the password It is too easy for a remote attacker to change the password.
5 Cleartext storage of sensitive information The remote attacker can guess the token permissions.
6 Privilege escalation exists on hidden token The remote attacker could gain root privileges and execute commands by accessing the hidden token API.
7 Remote code execution The remote attacker can use this to inject strings and force the server to run additional commands.

Affected Products and Solutions

* Affected Products
ThingsPro Gateway Edition 2.1

* Solutions

Item Vulnerability Type Suggested Measures
1 User enumeration Use stronger password, for example:

  • • Minimum 8 characters
  • • At least one number: 0 to 9
  • • Combination of lower and upper case: A to Z, a to z
  • • At least one special character: ~,!,@,#,$,%,^,&,*,-
2 User privilege escalation  Moxa has addressed these vulnerabilities with a new firmware release for ThingsPro Gateway Edition 2.3, please contact your sales representative to get the firmware.
3 Broken access control
4 The server does not require the old password when changing the password
5 Cleartext storage of sensitive information
6 Hidden token for API
7 Remote code execution

Acknowledgment

We would like to thank Mr. Alexander Nochvay from Kaspersky Lab ICS CERT for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.

Revision History

Version Description Release Date
1.0 First release Oct 17, 2018

Related Questions
Provide Feedback
Quality of this article
Poor                Excellent