Moxa OnCell G3150A-LTE Series Multiple Web Application Vulnerabilities and Security Enhancement

Act Now5oncell-g3150a-lte-series-multiple-web-application-vulnerabilities-and-security-eDec 29, 2023

Summary

The Moxa OnCell G3150A-LTE Series is affected by multiple web application vulnerabilities related to weak cryptographic algorithms and improper frame restrictions. Specifically: (1) CVE-2004-2761 – weak cryptographic implementation may enable spoofing attacks; (2) CVE-2013-2566 – inadequate encryption strength allows plaintext recovery via statistical analysis across multiple encrypted sessions; (3) CVE-2016-2183 – birthday attack against long-duration encrypted sessions can expose cleartext data; (4) CVE-2023-6093 – clickjacking vulnerability allows attackers to trick users into unintended interactions with the web application; (5) CVE-2023-6094 – cleartext transmission of sensitive information allows attackers to obtain user account credentials and access sensitive data. All versions prior to 1.3 are affected. Remote exploitation is possible without authentication for most vulnerabilities.

What this means

What could happen

An attacker could intercept web traffic to the OnCell G3150A-LTE device, steal user credentials or sensitive configuration data, or trick an operator into performing unintended actions via a malicious webpage. These weaknesses could compromise access to the remote terminal unit's management interface and expose industrial control commands.

Who's at risk

Water utilities and electric utilities that use Moxa OnCell G3150A-LTE cellular terminal units for remote monitoring and control of pump stations, substations, or field RTUs. Any operator who accesses the web management interface is at risk. The device is commonly deployed at unattended sites to provide out-of-band connectivity for industrial equipment.

How it could be exploited

An attacker on the network (or via the internet if the device is exposed) can perform a man-in-the-middle attack on unencrypted or weakly encrypted web traffic to capture credentials or session data. Alternatively, the attacker can craft a malicious webpage that, when visited by a device operator, injects actions into the OnCell management interface without their knowledge (clickjacking). No authentication is required to begin the attack.

Prerequisites

Network access to the device's web management port (typically 80/443)
For some attacks, the operator must visit an attacker-controlled webpage while logged into the OnCell
The device uses weak TLS/SSL cipher suites or permits cleartext transmission of sensitive data

remotely exploitableno authentication required for initial attacklow complexityhigh EPSS score (90.8%)no patch availableweak cryptographic algorithmscleartext transmission of credentialsaffects remote access to critical infrastructure

Exploitability

High exploit probability (EPSS 90.8%)

Affected products (1)

ProductAffected VersionsFix Status

OnCell G3150A-LTEAll versions1.3

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable web management access from untrusted networks using firewall rules; restrict access to engineering workstations and administrative subnets only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor for any vendor updates to firmware version 1.3 or later and apply immediately when available

Mitigations - no patch available

0/3

OnCell G3150A-LTE has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIf the device must be internet-facing, deploy a reverse proxy or WAF (Web Application Firewall) to enforce strong TLS 1.2+ and block weak cipher suites

HARDENINGIsolate the OnCell G3150A-LTE on a separate industrial network segment with explicit allow-rules for necessary traffic only

HARDENINGEducate operators to never access the device's web interface from untrusted networks or click links that lead to it

CVEs (5)

CVE-2004-2761 CVE-2013-2566 CVE-2016-2183 CVE-2023-6093 CVE-2023-6094

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ecdd6d7b-1dc8-4685-97cc-8ce2859fc076