Moxa Moxa AWK-3131A Wireless AP/Bridge/Client Vulnerabilities

Plan Patch10moxa-awk-3131a-wireless-ap-bridge-client-security-vulnerabilitiesApr 10, 2017

Summary

Multiple vulnerabilities were identified in Moxa AWK-3131A Series Wireless AP/Bridge/Client devices affecting all versions. The vulnerabilities include: (1) nonce reuse allowing session token replay (CVE-2016-8712), (2) cleartext password transmission over web console enabling credential theft (CVE-2016-8716), (3) hardcoded administrator credentials that cannot be modified or removed (CVE-2016-8717), (4) CSRF vulnerabilities allowing authenticated users to execute arbitrary commands (CVE-2016-8718), (5) reflected XSS vulnerabilities in the web interface (CVE-2016-8719), (6) HTTP header injection (CVE-2016-8720), (7) ping command injection enabling arbitrary command execution (CVE-2016-8721), (8) information disclosure through specific URLs accessible to unauthorized users (CVE-2016-8722), and (9) denial of service vulnerability. Moxa has stated no patch will be released for these devices. These vulnerabilities allow remote attackers to intercept credentials, gain unauthorized administrative access, execute arbitrary commands on the device, and disrupt its operation.

What this means

What could happen

An attacker could gain unauthorized control of Moxa AWK-3131A wireless access points through multiple vulnerabilities, including hardcoded credentials and password interception, potentially disrupting wireless network connectivity to critical transportation or industrial equipment.

Who's at risk

Transportation systems and industrial facilities using Moxa AWK-3131A wireless access points, bridge, or client devices for wireless connectivity to control networks or monitoring systems are affected.

How it could be exploited

An attacker on the network could intercept plaintext passwords transmitted to the web console, use hardcoded administrator credentials, or reuse session tokens to log in. Once authenticated (or without authentication for information disclosure), they could inject commands through ping or CSRF attacks to execute arbitrary code on the device and reconfigure it.

Prerequisites

Network access to the web console (HTTP/HTTPS port)
For password interception: ability to monitor network traffic to the device
For hardcoded credentials attack: no special privileges needed
For command injection: authenticated session or ability to craft CSRF requests from an authenticated user's browser

remotely exploitableno authentication required (for some vulnerabilities)hardcoded credentialsno patch availableCVSS 10.0 (critical severity)multiple attack vectors

Exploitability

Moderate exploit probability (EPSS 3.2%)

Affected products (1)

ProductAffected VersionsFix Status

AWK-3131AAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGIsolate or remove AWK-3131A devices from production networks if they are exposed to untrusted network segments

WORKAROUNDImplement firewall rules to restrict web console access (HTTP/HTTPS) to authorized engineering workstations only

WORKAROUNDDisable web management on the device if not actively used; use serial or out-of-band management instead

Mitigations - no patch available

0/3

AWK-3131A has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGEnforce network segmentation to isolate wireless APs from critical control networks

HARDENINGMonitor for unauthorized access attempts to the web console and watch for failed login activity

HARDENINGPlan replacement of AWK-3131A devices with current-generation Moxa wireless products that have vendor support and security patches

CVEs (13)

CVE-2016-8712 CVE-2016-8716 CVE-2016-8717 CVE-2016-8718 CVE-2016-8719 CVE-2016-8720 CVE-2016-8721 CVE-2016-8722 CVE-2016-8723 CVE-2016-8724 CVE-2016-8725 CVE-2016-8726 CVE-2016-8727

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bb1f0625-1bc8-4d86-b093-ca0b8e0ad51f