Moxa TN-5900 Series Affected by Multiple OpenSSL Vulnerabilities

Act NowCVSS 7.5MPSA-230405Oct 4, 2024

Moxa

Summary

Multiple OpenSSL vulnerabilities (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) affect Moxa TN-5900 Series devices. These include: (1) a timing-based side-channel attack allowing recovery of the pre-master secret and decryption of encrypted management traffic; (2) a use-after-free vulnerability in SSL BIO handling that can crash the device; (3) a type confusion vulnerability enabling arbitrary memory reads or denial of service attacks. All three vulnerabilities require only network access to the device's SSL/TLS port and no authentication. The TN-5900 will not receive patches from Moxa.

What this means

What could happen

An attacker with network access to the TN-5900 could crash the device, recover encrypted traffic to decrypt sensitive management commands, or read sensitive memory contents—potentially allowing unauthorized configuration changes or operational disruption.

Who's at risk

Network device administrators and industrial automation engineers operating Moxa TN-5900 Series industrial cellular gateways or routers, particularly those used for remote management of SCADA systems, RTUs, and field devices in water, power, oil & gas, and manufacturing environments.

How it could be exploited

An attacker sends a series of specially crafted network messages to the TN-5900's SSL/TLS service. Depending on the vulnerability, the attacker could: (1) observe timing differences in SSL handshakes to recover the pre-master secret and decrypt past encrypted sessions; (2) trigger a use-after-free crash by manipulating SSL BIO objects; or (3) trigger a type confusion error to read arbitrary memory or cause denial of service without authentication.

Prerequisites

Network access to the TN-5900 SSL/TLS service (typically port 443 or port 61682 for Moxa management)
No authentication required for CVE-2023-0215 or CVE-2023-0286 exploitation

remotely exploitableno authentication required for denial of service and memory access vulnerabilitieslow to medium complexityhigh EPSS score (88.5%)no patch available (end-of-life product)management/control device—exploitation could lead to loss of operational visibility or remote access

Exploitability

Likely to be exploited — EPSS score 88.4%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (1)

ProductAffected VersionsFix Status

TN-5900All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGSegment the TN-5900 onto a restricted management network; restrict inbound network access to the device's SSL/TLS ports (443, 61682) to only authorized administrative workstations and monitoring systems

WORKAROUNDDisable remote management services on the TN-5900 if not required; if remote access is needed, route only through a jump server or VPN concentrator to isolate the device

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDMonitor TN-5900 logs for repeated SSL connection failures, crashes, or authentication anomalies that may indicate exploitation attempts

Mitigations - no patch available

0/1

TN-5900 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGContact Moxa support to determine if a firmware update or migration to a supported device model (e.g., TN-5900A if available) is planned; if no fix timeline exists, schedule replacement of the TN-5900 with a vendor-supported successor

CVEs (3)

CVE-2022-4304 CVE-2023-0215 CVE-2023-0286

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f27a387e-6926-47b5-86ab-bcc0eea8c667

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.