Moxa MGate Authentication Bypass Vulnerability

Act Now9.1ICS-CERT ICSA-16-196-02Apr 17, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Moxa MGate industrial protocol gateways contain an authentication bypass vulnerability in their web management interface. An attacker with network access could bypass authentication and gain unauthorized administrative access to configure or modify gateway settings without providing valid credentials. The vulnerability is due to improper cryptographic implementation (CWE-326).

What this means

What could happen

An attacker could gain administrative access to an MGate gateway without authentication, allowing them to alter protocol translation rules, reconfigure device settings, or redirect industrial protocol traffic. This could disrupt communication between control systems and field devices, leading to loss of visibility or control over plant operations.

Who's at risk

Water utilities and electric utilities using Moxa MGate protocol gateways for SCADA communication between legacy industrial devices and modern control systems are affected. This includes MGate MB3180, MB3280, MB3480, MB3170, and MB3270 units running the affected firmware versions. Any facility using these gateways for critical process data translation between Modbus RTU/TCP and other industrial protocols should be considered at risk.

How it could be exploited

An attacker on the network would connect to the MGate's web management interface (typically port 80 or 443) and send a crafted authentication request. The improper cryptographic handling allows the attacker to bypass authentication checks and reach the administrative interface where they can modify gateway configuration and routing rules.

Prerequisites

Network access to the MGate web management port (80/443)
MGate device must be reachable from attacker's network segment

remotely exploitableno authentication requiredlow complexityno patch availableaffects industrial protocol communication

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

MGate MB3180: <=v1.8≤ v1.8No fix (EOL)

MGate MB3280: <=v2.7≤ v2.7No fix (EOL)

MGate MB3480: <=v2.6≤ v2.6No fix (EOL)

MGate MB3170: <=v2.5≤ v2.5No fix (EOL)

MGate MB3270: <=v2.7≤ v2.7No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGIsolate MGate devices on a dedicated industrial network segment with restricted access; use a firewall to limit access to the management interface (ports 80/443) to only authorized engineering workstations

HARDENINGImplement network segmentation and air-gap or DMZ-style isolation if MGate devices are currently accessible from the IT network or untrusted network segments

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor MGate management interface logs for unauthorized access attempts and unexpected configuration changes

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: MGate MB3180: <=v1.8, MGate MB3280: <=v2.7, MGate MB3480: <=v2.6, MGate MB3170: <=v2.5, MGate MB3270: <=v2.7. Apply the following compensating controls:

HARDENINGEvaluate replacement of end-of-life MGate units with current Moxa products that include security updates and bug fixes, or transition to alternative gateway solutions with active vendor support

CVEs (1)

CVE-2016-5804

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5c9bd127-8440-4574-b7d9-314dce268309