Moxa ioLogik 4000 Series Multiple Web Server Vulnerabilities and Improper Access Control Vulnerability

Monitor4MPSA-230310Aug 24, 2023

Summary

The ioLogik E4200 firmware v1.6 and prior contains multiple web server misconfigurations and an improper access control issue. Specifically: an exposed unauthorized service allows direct access without authentication (CVE-2023-4227); session cookies lack HttpOnly flag protection enabling session hijacking (CVE-2023-4228); missing security headers allow UI frame manipulation (CVE-2023-4229); and server banner leaks sensitive version information (CVE-2023-4230). These weaknesses could allow attackers to compromise the web service, steal credentials, or gain unauthorized administrative access to the device.

What this means

What could happen

An attacker with network access to the ioLogik 4000 web interface could gain unauthorized access, intercept session cookies, or manipulate the web service, potentially allowing them to read or alter device configuration and monitoring parameters that control remote I/O operations.

Who's at risk

Water utilities and electric utilities operating remote I/O devices (ioLogik 4000 series) for distributed monitoring and control, especially at pump stations, treatment facilities, or substations. Site supervisors and control engineers who need to access device configuration and status via the web interface are at risk of credential theft and unauthorized access.

How it could be exploited

An attacker on the network connects to the ioLogik 4000 web server (typically port 80/443). They exploit missing security headers and improper session handling to steal session cookies or hijack user sessions, or connect directly to an exposed unauthorized service to bypass authentication and gain administrative access.

Prerequisites

Network access to the ioLogik 4000 web server (typically port 80/443)
For session hijacking: ability to capture HTTP traffic or trick a user into accessing the device
For unauthorized service exploitation: network reachability to the device on the local network or via a firewall gap

remotely exploitableno authentication required for unauthorized serviceno patch availableaffects OT device management interface

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

ioLogik 4000All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImmediately place the ioLogik 4000 behind a firewall or VPN; restrict access to the web management interface to trusted engineering networks only

HARDENINGDisable remote access to the web interface if not required for operations; require VPN or jump host for any remote management

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDMonitor access logs for any unauthorized connection attempts to the device or the web service

HARDENINGSegregate the ioLogik 4000 on a separate VLAN or network segment from critical control systems

CVEs (4)

CVE-2023-4227 CVE-2023-4228 CVE-2023-4229 CVE-2023-4230

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aa5b30ed-bfe3-4cab-862b-aee5a15f46e2