Moxa TN-5900 and TN-4900 Series Web Server Multiple Vulnerabilities

Low Risk3MPSA-230402Oct 20, 2023

Summary

Moxa TN-5900 Series (all versions) and TN-4900 Series (prior to version 1.2.4) contain multiple web server vulnerabilities due to insufficient input validation. The vulnerabilities include: 1. Improper authentication (CVE-2023-33237): Allows brute-force attacks against authentication parameters. 2. Command injection (CVE-2023-33238, CVE-2023-33239, CVE-2023-34213, CVE-2023-34214, CVE-2023-34215): Remote attackers with valid credentials can execute arbitrary commands via the web interface. 3. Path traversal (CVE-2023-34216, CVE-2023-34217): Attackers with valid credentials can create or overwrite critical files, potentially leading to code execution. Exploitation requires network access to the web service. Command injection and path traversal vulnerabilities require valid user credentials.

What this means

What could happen

An attacker with credentials to the device's web interface could run arbitrary commands on the TN-5900/TN-4900 terminal server, potentially disrupting network communications, halting remote terminal access, or compromising connected equipment. Unauthenticated attackers could attempt brute-force credential attacks to gain initial access.

Who's at risk

This affects any organization operating Moxa TN-5900 or TN-4900 Series terminal servers used for remote device access and network management. These are commonly deployed in utilities, water systems, manufacturing facilities, and data centers for out-of-band management. The impact is significant because terminal servers are often on network perimeters and provide access to critical control systems.

How it could be exploited

An attacker with network access to the device's HTTP/HTTPS web interface could attempt brute-force attacks on user credentials (CVE-2023-33237). Once valid credentials are obtained or if a user is already authenticated, the attacker can inject commands through input fields to execute arbitrary code on the terminal server (CVE-2023-33238 through CVE-2023-34215) or use path traversal to modify system files (CVE-2023-34216, CVE-2023-34217).

Prerequisites

Network access to the web service on port 80 or 443
Valid user credentials for command injection and path traversal vulnerabilities
Brute-force access attempts for authentication bypass

Remotely exploitable via web interfaceNo patch available for TN-5900 SeriesCommand injection allows arbitrary code executionPath traversal allows file modification and code executionLow authentication requirements for some attack vectors

Exploitability

Moderate exploit probability (EPSS 1.0%)

Affected products (1)

ProductAffected VersionsFix Status

TN-5900All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDFor TN-5900 Series: Restrict web interface access to authorized networks using firewall rules or port filtering

HARDENINGFor TN-5900 Series: Implement strong password policies and enforce regular credential changes to mitigate brute-force attacks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate TN-4900 Series to version 1.2.4 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate terminal servers from untrusted network segments

HARDENINGMonitor web service logs for suspicious login attempts and command injection patterns

CVEs (8)

CVE-2023-33237 CVE-2023-33238 CVE-2023-34213 CVE-2023-34214 CVE-2023-34215 CVE-2023-34216 CVE-2023-34217 CVE-2023-33239

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cdc304e8-f668-467e-99dd-696e09ca0ee9