Moxa SDS-3008 Series Multiple Web Vulnerabilities

Act NowCVSS 4sds-3008-series-multiple-web-vulnerabilitiesFeb 2, 2023

MoxaManufacturingTransportation

Summary

The Moxa SDS-3008 Series Industrial Ethernet switch web server contains four vulnerability classes affecting v2.1: (1) Cleartext transmission of credentials and sensitive data via network sniffing (CVE-2022-40693); (2) Denial-of-service via malformed HTTP message headers that exhaust server resources (CVE-2022-40224); (3) Stored cross-site scripting allowing arbitrary JavaScript injection and execution in engineer browsers (CVE-2022-41311, CVE-2022-41312, CVE-2022-41313); (4) Information disclosure via crafted HTTP requests revealing system details (CVE-2022-40691). All versions of the SDS-3008 are affected. No firmware patch has been released by Moxa.

What this means

What could happen

An attacker with network access to the SDS-3008 web interface could steal sensitive information, disrupt switch operations via denial-of-service, or inject malicious scripts that execute on engineer browsers during management sessions.

Who's at risk

Manufacturing facilities and transportation systems that rely on Moxa SDS-3008 Industrial Ethernet switches for network connectivity, especially those with remote or multi-site engineering access to switch management consoles.

How it could be exploited

An attacker on the same network (or internet-facing management port) can send specially crafted HTTP requests to the web server to trigger information disclosure, perform DoS via malformed headers, or store malicious JavaScript that executes when engineers access the web interface. Network sniffing can also intercept unencrypted credentials and configuration data in transit.

Prerequisites

Network access to the SDS-3008 web management port (typically port 80/443)
No authentication required for some information disclosure vulnerabilities
For stored XSS, attacker needs ability to send HTTP requests to the switch
For sniffing attacks, attacker must be on a network segment that can see switch traffic

remotely exploitableno authentication required for information disclosurelow complexity attackno patch availablehigh EPSS score (11.7%)

Exploitability

Likely to be exploited — EPSS score 11.7%

Affected products (1)

ProductAffected VersionsFix Status

SDS-3008All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGRestrict network access to the SDS-3008 web management interface using firewall rules; only allow engineering workstations and network management systems to connect to management ports

WORKAROUNDDisable the SDS-3008 web management interface if not actively in use; use CLI or SNMP instead

HARDENINGUse a VPN or jump host for remote management access to isolate the switch from direct internet exposure

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGEncrypt management traffic by enabling HTTPS and disabling HTTP on the switch

HARDENINGMonitor web server logs for suspicious HTTP requests and injection attempts

Long-term hardening

0/1

HOTFIXContact Moxa regarding long-term firmware updates, as no official fix is currently available for this end-of-life product

CVEs (6)

CVE-2022-40693 CVE-2022-40224 CVE-2022-41311 CVE-2022-41312 CVE-2022-41313 CVE-2022-40691

View full Moxa Security advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8406cdc7-7e35-42ae-8ad3-cdfe3278178b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.