Headline
CVE-2022-40224: SDS-3008 Series Multiple Web Vulnerabilities
A denial of service vulnerability exists in the web server functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted HTTP message header can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.
As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.
Please sign in
SUMMARY
SDS-3008 Series Multiple Web Vulnerabilities
- Security Advisory ID: MPSA-230101
- Version: V1.0
- Release Date: Feb 02, 2023
- Reference:
NVD CVE 2022-40693 (mitre.org)
NVD CVE-2022-40224 (mitre.org)
NVD CVE-2022-41311 (mitre.org)
NVD CVE-2022-41312 (mitre.org)
NVD CVE-2022-41313 (mitre.org)
NVD CVE-2022-40691 (mitre.org)
The SDS-3008 Series web server is affected by multiple vulnerabilities.
- A remote attacker may disclose unauthorized information or perform a denial-of-service attack.
- A remote attacker may execute arbitrary script code in the browser of an unsuspecting user.
The identified vulnerability types and potential impacts are shown below:
Item
Vulnerability Type
Impact
1
Cleartext Transmission of Sensitive Information (CWE-319)
CVE-2022-40693
A cleartext transmission vulnerability exists in the web application functionality of Moxa’s SDS-3008 Series Industrial Ethernet switch v2.1. A specially crafted network sniffing tool can lead to disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.
2
Insufficient Resource Pool (CWE-410)
CVE-2022-40224
A denial-of-service vulnerability exists in the web server functionality of Moxa’s SDS-3008 Series Industrial Ethernet switch v2.1. A specially crafted HTTP message header can lead to a denial-of-service attack. An attacker can send an HTTP request to trigger this vulnerability.
3
Improper Neutralization of Input During Web Page Generation (CWE-79)
CVE-2022-41311, CVE-2022-41312, CVE-2022-41313
A stored cross-site scripting vulnerability exists in the web application functionality of Moxa’s SDS-3008 Series Industrial Ethernet switch v2.1. A specially crafted HTTP request can lead to arbitrary JavaScript code being executed. An attacker can send an HTTP request to trigger this vulnerability.
4
Information Exposure (CWE-200)
CVE-2022-40691
An information disclosure vulnerability exists in the web application functionality of Moxa’s SDS-3008 Series Industrial Ethernet switch v2.1. A specially crafted HTTP request can lead to disclosure of sensitive information. An attacker can send an HTTP request to trigger this vulnerability.
AFFECTED PRODUCTS AND SOLUTIONS
Affected Products:
The affected products and firmware versions are shown below.
Product Series
Affected Versions
SDS-3008 Series
Firmware Version 2.1 or lower
Solutions:
Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.
Product Series
Solutions
SDS-3008 Series
Please contact Moxa Technical Support for the security patch.
Acknowledgment:
We would like to express our appreciation to Cisco Talos team for reporting the vulnerability, working with us to help enhance the security of our products, and helping us provide a better service to our customers.
Revision History:
VERSION
DESCRIPTION
RELEASE DATE
1.0
First Release
Feb 2, 2023
Print this page
You can manage and share your saved list in My Moxa
Let’s get that fixed
If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.
Report a Vulnerability
You have some items waiting in your bag; click here to finish your quote!
Feedback