CVE-2018-10695

Vulnerability

The Moxa AWK-3121 wireless access point running firmware version 1.14 (and possibly earlier) contains multiple stack-based buffer overflow vulnerabilities in its email alert functionality. The POST parameters to1, to2, to3, and to4 are each susceptible to a buffer overflow when a specially crafted string longer than 678 characters is supplied [1]. The vulnerability is reachable when the device's administrative web interface is exposed to an attacker, and no authentication is required to trigger it if the alert feature is enabled or accessible without prior login [1].

Exploitation

An attacker who can send HTTP POST requests to the device's web interface can exploit this vulnerability without any prior authentication or user interaction. By crafting a single POST request containing a payload string of at least 678 characters in any of the to1 through to4 parameters, the attacker can overflow the internal buffer and achieve code execution. The exploit does not require any special network position beyond network access to the device's management web server [1].

Impact

Successful exploitation of this buffer overflow allows an attacker to execute arbitrary code on the device in the context of the web server process. This can lead to complete compromise of the device, including the ability to alter configuration, exfiltrate data, or use the device as a pivot point within the network. The impact is a full loss of confidentiality, integrity, and availability of the affected device [1].

Mitigation

As of the publication date (2019-06-07), Moxa has not released a firmware update to patch this vulnerability [1]. Users should restrict network access to the device's web interface to trusted IP addresses only, disable the email alert feature if not required, and monitor the vendor's advisory page for an official fix. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.