Headline
CVE-2023-39983: MXsecurity Series Multiple Vulnerabilities
A vulnerability that poses a potential risk of polluting the MXsecurity sqlite database and the nsm-web UI has been identified in MXsecurity versions prior to v1.0.1. This vulnerability might allow an unauthenticated remote attacker to register or add devices via the nsm-web application.
As of June 15, 2022, this site no longer supports Internet Explorer. Please use another browser for the best experience on our site.
Please sign in
SUMMARY
MXsecurity Series Multiple Vulnerabilities
- Security Advisory ID: MPSA-230403
- Version: V1.1
- Release Date: Sep 01, 2023
- Reference:
- CVE-2023-39979 (cve.org)
- CVE-2023-39980 (cve.org)
- CVE-2023-39981 (cve.org)
- CVE-2023-39982 (cve.org)
- CVE-2023-39983 (cve.org)
These vulnerabilities are caused by the improper design or implementation of authentication mechanisms and input validation. Exploiting these vulnerabilities could enable an attacker to bypass authentication, which could lead to the unauthorized disclosure or tampering of authenticated information, unauthorized access to sensitive data, and remote access without proper authorization.
The identified vulnerability types and potential impacts are shown below:
Item
Vulnerability Type
Impact
1
Small Space of Random Values (CWE-334)
CVE-2023-39979
An attacker can bypass authentication to gain unauthorized access.
2
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)
CVE-2023-39980
An attacker can change the SQL command to gain unauthorized access to disclose information.
3
Improper Authentication (CWE-287)
CVE-2023-39981
An attacker can gain unauthorized access to disclose device information.
4
Use of Hard-coded Credentials (CWE-798)
CVE-2023-39982
An attacker can facilitate man-in-the-middle attacks and enable the decryption of SSH traffic.
5
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
CVE-2023-39983
An attacker can register/add a device via the nsm-web application.
Vulnerability Scoring Details
ID
CVSS V3.1
VECTOR
REMOTE EXPLOIT WITHOUT AUTH?
CVE-2023-39979
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Yes
CVE-2023-39980
7.1
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
No
CVE-2023-39981
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Yes
CVE-2023-39982
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Yes
CVE-2023-39983
5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Yes
AFFECTED PRODUCTS AND SOLUTIONS
Affected Products:
The affected products and firmware versions are shown below.
Product Series
Affected Versions
MXsecurity Series
Software version v1.0.1 and prior versions
Solutions:
Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.
Product Series
Solutions
MXsecurity Series
Please upgrade to firmware v1.1.0 or later.
****Mitigation****
- Minimize network exposure to ensure the device is not accessible from the Internet.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs).
- The starting point of all the above vulnerabilities is from the web service, so it is suggested to disable web service temporarily if you completed configuration to prevent further damages from these vulnerabilities until installed patch or updated firmware.
Products Confirmed Not Vulnerable:
Only products listed in the Affected Products section of this advisory are known to be affected by these vulnerabilities.
Acknowledgment:
We would like to express our appreciation to Noam Moshe of Claroty Research - Team82 for reporting the vulnerabilities (CVE-2023-39979, CVE-2023-39980, and CVE-2023-39981), Darren Martyn for advising on a vulnerability (CVE-2023-39982), and James Sebree from the Tenable Bug Bounty Program for his contribution in reporting a vulnerability (CVE-2023-39983) and working with us to help enhance the security of our products and provide a better service to our customers.
Revision History:
VERSION
DESCRIPTION
RELEASE DATE
1.0
First Release
Sept. 1, 2023
1.1
Update credit to Claroty
Sept. 1, 2023
Relevant Products
MXsecurity Series ·
Print this pageYou can manage and share your saved list in My Moxa
Let’s get that fixed
If you are concerned about a potential cybersecurity vulnerability, please contact us and one of technical support staff will get in touch with you.
Report a Vulnerability
You have some items waiting in your bag; click here to finish your quote!
You are currently on the Global / English site.
Would you like to go to the site for your region?
Feedback