Moxa Multiple Moxa Ethernet Switches Affected by CVE-2023-48795 and CVE-2019-20372

Act Now5.9MPSA-244252Nov 1, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple Moxa Ethernet switches are vulnerable to two integrity and authentication bypass issues: CVE-2023-48795 (CVSS 5.9): Improper validation of integrity checks allows a remote, man-in-the-middle attacker to bypass integrity verification and downgrade connection security. This requires network position on the path between the administrator and the switch. CVE-2019-20372 (CVSS 5.3): HTTP request smuggling allows bypassing authentication controls on the web management interface, potentially leading to unauthorized access to web pages and further attacks. This requires network access to the switch's web interface. Both vulnerabilities are unauthenticated and remotely exploitable. Moxa has not released patches for affected switch models.

What this means

What could happen

An attacker could intercept network traffic to Moxa switches and either downgrade security on connections or bypass authentication controls on the web management interface. This could allow unauthorized configuration changes to network switching and VLAN settings that affect process connectivity.

Who's at risk

Water utilities and electric utilities that use Moxa Ethernet switches for process network connectivity should assess this risk. This affects all models in the Moxa switch product line with no vendor fix currently available. The main concern is for sites where these switches connect critical automation networks or are accessible from less-trusted networks.

How it could be exploited

An attacker on the network path between a management workstation and a Moxa switch (man-in-the-middle position) can intercept HTTPS connections and downgrade them, or craft malicious HTTP requests to bypass authentication on the web interface. No valid credentials are required, but the attacker must be able to see or redirect network traffic to the switch.

Prerequisites

Network position allowing man-in-the-middle (same subnet or compromised router)
Ability to intercept or redirect HTTPS traffic to the affected switch
For HTTP smuggling: network path to the switch's web management interface

Remotely exploitableNo authentication required for some attack pathsHigh EPSS score (69.7%)No patch availableMan-in-the-middle required for CVE-2023-48795

Exploitability

High exploit probability (EPSS 69.7%)

Affected products (1)

ProductAffected VersionsFix Status

Multiple Moxa Ethernet Switches Affected by CVE-2023-48795 and CVE-2019-20372All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/4

HARDENINGRestrict network access to the web management interface of Moxa switches to a dedicated engineering VLAN and require VPN for remote access

HARDENINGPlace Moxa switches behind a firewall that blocks direct internet access to their management ports (TCP 80, 443, and any other management ports)

HARDENINGDisable HTTP (port 80) on the web interface and enforce HTTPS only

WORKAROUNDUse a reverse proxy or WAF in front of the switch's web interface to validate and normalize HTTP requests

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to Moxa switches for suspicious HTTPS downgrade attempts or malformed HTTP requests

HOTFIXContact Moxa to inquire about firmware updates that address CVE-2023-48795 and CVE-2019-20372

CVEs (2)

CVE-2023-48795 CVE-2019-20372

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e6b6626a-6ee4-4df3-8806-e785f7a1e21d