Moxa MB3170/MB3180/MB3270/MB3280/MB3480/MB3660 Series Protocol Gateways Vulnerabilities

Plan Patch9mb3710-3180-3270-3280-3480-3660-vulnerabilitiesSep 25, 2019

Summary

Multiple critical vulnerabilities exist in Moxa MB3170/MB3180/MB3270/MB3280/MB3480/MB3660 Series Protocol Gateways affecting all versions. These include: - Stack-based buffer overflow in built-in web server (CVE-2019-9099): allows remote denial-of-service and arbitrary code execution - Integer overflow leading to buffer overflow (CVE-2019-9098): causes unexpected memory allocation and buffer overflow - CSRF protection bypass (CVE-2019-9102): predictable token generation allows attackers to bypass cross-site request forgery protection - Weak cryptographic algorithm (CVE-2019-9095): uses predictable variables, allowing sensitive information disclosure - Unauthenticated information exposure (CVE-2019-9103): attackers can access sensitive information and usernames via web service without authorization - Cleartext credential transmission (CVE-2019-9101): credentials sent unencrypted over web applications - Weak password requirements (CVE-2019-9096): allows brute-force credential attacks - Cleartext credential storage (CVE-2019-9104): sensitive data stored unencrypted in configuration files - Denial-of-service via resource exhaustion (CVE-2019-9097): web service crashes when overloaded

What this means

What could happen

An attacker with network access to the gateway's web interface could gain administrative access through weak credentials or credential theft, then execute arbitrary commands on the device to alter industrial process settings, reroute data between protocols, or disable communications between plant systems and supervisory control.

Who's at risk

Water utilities, electric utilities, and any facility using Moxa protocol gateways for industrial communication should be concerned. These devices are commonly deployed to bridge legacy industrial protocols (Modbus, Profibus, PROFINET) with modern networks. Affected equipment includes all MB3170, MB3180, MB3270, MB3280, MB3480, and MB3660 Series gateways at any firmware version.

How it could be exploited

An attacker on the network sends HTTP requests to the gateway's web server, exploiting the buffer overflow vulnerabilities to crash the service or execute arbitrary code. Alternatively, the attacker harvests credentials by intercepting cleartext traffic or reading configuration files if file access is available, then uses those credentials to log in and modify gateway configuration or routing rules.

Prerequisites

Network access to the gateway's HTTP/web service port (typically port 80 or 443)
For credential-based attacks: ability to observe network traffic or file system access to capture credentials
For buffer overflow exploitation: no authentication required

Remotely exploitableNo authentication required for buffer overflow attacksLow complexity exploitationHigh EPSS score (9.1%)No patch available - end-of-life productsAffects protocol bridging equipment critical to plant operationsMultiple attack vectors (code execution, credential theft, DoS)

Exploitability

Moderate exploit probability (EPSS 9.1%)

Affected products (1)

ProductAffected VersionsFix Status

MB3170/MB3180/MB3270/MB3280/MB3480/MB3660 Series Protocol Gateways VulnerabilitiesAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGImmediately implement network segmentation: place gateways on a restricted VLAN and use firewall rules to allow access only from authorized engineering workstations and PLCs. Deny inbound HTTP/HTTPS access from untrusted networks.

WORKAROUNDDisable the built-in web server if remote administration is not required. If needed, restrict web access to a VPN or dedicated management network only.

HARDENINGIf the web server must remain enabled, change all default gateway credentials to strong, unique passwords (minimum 12 characters, mixed case, symbols) immediately.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGDocument the gateway's industrial protocol roles (which PLCs/devices it connects) and monitor for unexpected configuration changes or communication anomalies that could indicate compromise.

Mitigations - no patch available

0/2

MB3170/MB3180/MB3270/MB3280/MB3480/MB3660 Series Protocol Gateways Vulnerabilities has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGUse an IDS/IPS or network anomaly detection to monitor for HTTP requests with malformed payloads targeting the gateway, and log all HTTP connections to the gateway for forensic review.

HARDENINGContact Moxa support to determine if your gateway models are still supported. If end-of-life, evaluate replacement with current-generation gateways that receive security updates.

CVEs (9)

CVE-2019-9102 CVE-2019-9096 CVE-2019-9097 CVE-2019-9099 CVE-2019-9098 CVE-2019-9095 CVE-2019-9103 CVE-2019-9101 CVE-2019-9104

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/64454ceb-5d3e-47fe-b580-475e17dc98ce