Moxa EDS-G516E and EDS-510E Series Ethernet Switches Vulnerabilities

Monitor7eds-g516e-510e-ethernet-switches-vulnerabilitiesSep 25, 2019

Summary

Multiple vulnerabilities were identified in Moxa EDS-G516E and EDS-510E Series Ethernet Switches: (1) Stack-based buffer overflow in IEEE802.1x settings page allows arbitrary code execution or device crash; (2) Weak cryptographic algorithm enables disclosure of confidential information; (3) Hard-coded cryptographic key increases risk of data recovery; (4) Hard-coded password allows unauthorized access without authentication; (5) Buffer overflow in syslog, DHCP, and PTP settings pages can cause device unavailability; (6) User credentials transmitted in cleartext over HTTP. The EDS-G516E has no patch available from the vendor.

What this means

What could happen

An attacker could exploit multiple vulnerabilities in these Ethernet switches to execute arbitrary code, disable the device, or intercept credentials and configuration data in transit.

Who's at risk

Water authorities and electric utilities using Moxa EDS-G516E or EDS-510E Ethernet switches for industrial network connectivity should assess their risk. These switches are commonly used to connect PLCs, SCADA systems, and other critical control equipment to plant networks. Compromise could affect the availability and integrity of control communications.

How it could be exploited

An attacker with network access to the switch's web interface could inject oversized payloads into the IEEE802.1x, syslog, DHCP, or PTP settings pages to trigger a buffer overflow and crash the device or execute code. Credentials transmitted in cleartext could be captured via network sniffing. Hard-coded passwords and cryptographic keys in the firmware could allow unauthorized direct access.

Prerequisites

Network access to the switch's web management interface (typically port 80/443)
No authentication required for buffer overflow vulnerabilities in web settings pages
For credential interception: ability to sniff unencrypted HTTP traffic on the network

remotely exploitableno authentication required for some vulnerabilitiesno patch available for EDS-G516Ehard-coded credentials presentcredentials sent in cleartextbuffer overflow vulnerabilities allow denial of service and code execution

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

EDS-G516EAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HOTFIXCheck Moxa's advisory and contact Moxa support to determine if firmware updates or replacement guidance are available for your specific switch models and firmware versions

WORKAROUNDRestrict network access to the switch's web management interface using firewall rules or access control lists (ACLs) to allow only authorized engineering workstations and administrative subnets

HARDENINGUse HTTPS-only access to the switch management interface if available, and verify that SSH or encrypted alternatives are enabled instead of cleartext Telnet/HTTP

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and log all access attempts to the switch's management interface to detect exploitation attempts

Mitigations - no patch available

0/1

EDS-G516E has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the switch management network from untrusted networks using network segmentation (e.g., separate VLAN for device management)

CVEs (7)

CVE-2020-7007 CVE-2020-7001 CVE-2020-6979 CVE-2020-6981 CVE-2020-6999 CVE-2020-6997 CVE-2020-6991

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f24b5e69-3970-4a1d-842e-c630462721c3