Moxa Vulnerabilities Identified in MDS-G4028-L3 Series and EDS-G512E - SSH Prefix Truncation, EOL Nginx Software, and Weak SSL/TLS Key Exchange

Act Now7.7MPSA-241044Nov 4, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The MDS-G4028-L3 series is vulnerable to CVE-2023-48795 (CWE-354: Improper Validation of Integrity Check Value), which bypasses integrity checking and allows injection of unauthorized data. Additionally, both MDS and EDS-G512E series run outdated Nginx software affected by CVE-2021-23017, CVE-2021-3618, and CVE-2019-20372, which can cause crashes, certificate validation bypass, and HTTP request smuggling attacks. The EDS-G512E series also uses weak SSL/TLS key exchange (CWE-326), allowing potential decryption of encrypted communications through brute force.

What this means

What could happen

An attacker could forge authentication messages on MDS-G4028-L3 devices or exploit Nginx flaws to crash the device, bypass security checks, or inject malicious HTTP requests. Weak encryption on EDS-G512E could allow an attacker to decrypt sensitive communications between the device and management stations, compromising confidentiality of operational data.

Who's at risk

Water utilities and electric utilities operating Moxa MDS-G4028-L3 and EDS-G512E industrial Ethernet switches and routers should prioritize this. These devices are commonly used for remote site connectivity and SCADA communications. If your facility uses these switches for management traffic between control centers and field sites, this vulnerability could allow an attacker to intercept commands, alter data integrity, or disrupt network availability.

How it could be exploited

An attacker with network access to the MDS-G4028-L3 or EDS-G512E device could send specially crafted SSH packets to truncate integrity checks (CVE-2023-48795), or exploit weaknesses in the embedded Nginx web server to trigger crashes, bypass certificate validation, or perform HTTP request smuggling. Against EDS-G512E, an attacker could intercept TLS traffic and attempt to break the weak encryption to recover plaintext communications.

Prerequisites

Network access to port 22 (SSH) for CVE-2023-48795 exploitation
Network access to port 80 or 443 for Nginx-related CVE exploitation
No authentication required for HTTP request smuggling attacks
Physical proximity or network position to intercept and replay TLS traffic for weak encryption attacks

remotely exploitableno authentication required for HTTP request smugglinglow complexityhigh EPSS score (73.5%)no patch availableaffects industrial Ethernet devices critical to network availability

Exploitability

High exploit probability (EPSS 73.5%)

Affected products (1)

ProductAffected VersionsFix Status

MDSAll versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/4

HOTFIXContact Moxa support to determine if firmware updates addressing CVE-2023-48795 and Nginx vulnerabilities are available or planned for your specific MDS-G4028-L3 model and firmware version

WORKAROUNDDisable or restrict SSH access to MDS-G4028-L3 devices to trusted engineering workstations only using firewall rules or network segmentation

WORKAROUNDDisable HTTP access to the web management interface on MDS-G4028-L3 and EDS-G512E devices; use HTTPS only if available, and restrict to trusted subnets

HARDENINGEnsure TLS 1.2 or higher is configured on EDS-G512E; disable older protocols (TLS 1.0, TLS 1.1) and weak cipher suites

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation to isolate MDS-G4028-L3 and EDS-G512E devices from untrusted networks; require VPN or jump host for remote management

CVEs (4)

CVE-2023-48795 CVE-2021-23017 CVE-2021-3618 CVE-2019-20372

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/501ff92f-59df-4fe0-a7d2-273fb040e03a