OTPulse
FeedAboutContact

Moxa Moxa’s Response Regarding the Libssh Authentication Bypass Vulnerability

Act Nowmoxas-response-regarding-the-libssh-authentication-bypass-vulnerabilityNov 27, 2018
Summary

A vulnerability in libssh's server-side state machine (CVE-2018-10933) in versions 0.7.6 and 0.8.4 and prior allows remote attackers to bypass authentication without valid credentials. Moxa has investigated all its products and determined that none are affected by this vulnerability. Moxa's Cyber Security Response Team will continue monitoring and will provide updates if the status changes.

What this means
What could happen
Moxa has determined that their products are not affected by the libssh authentication bypass vulnerability (CVE-2018-10933). No operational impact to Moxa-based systems is expected at this time.
Who's at risk
Moxa devices across all industrial networking and remote management product lines were evaluated. According to Moxa's investigation, no products are affected by the libssh authentication bypass vulnerability.
How it could be exploited
This vulnerability affects libssh versions 0.7.6 and 0.8.4 and prior. If Moxa products had used a vulnerable version of libssh in their SSH server implementation, an attacker with network access could bypass authentication without valid credentials. However, Moxa's investigation found no affected products.
Prerequisites
  • Network access to SSH server on target device
  • Target device uses vulnerable libssh version (0.7.6 or 0.8.4 or earlier)
remotely exploitableno authentication requiredhigh EPSS score (78.6%)affects third-party library (libssh)
Exploitability
High exploit probability (EPSS 78.6%)
Affected products (1)
ProductAffected VersionsFix Status
Moxa’s Response Regarding the Libssh Authentication Bypass VulnerabilityAll versionsNo fix yet
Remediation & Mitigation
0/2
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGVerify your Moxa device inventory and confirm firmware versions to ensure no legacy systems are using vulnerable libssh versions
Long-term hardening
0/1
HARDENINGMonitor Moxa's Cyber Security Response Team (CSRT) for any future notifications if vulnerabilities are found to affect Moxa products
View full Moxa Security advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/a505f0ac-4e35-43e6-a87a-15da43617ba9
Moxa Moxa’s Response Regarding the Libssh Authentication Bypass Vulnerability - OTPulse