CVE-2019-9096

Vulnerability

The vulnerability resides in the web application of Moxa MGate MB3170 and MB3270 devices before firmware version 4.1, MB3280 and MB3480 devices before version 3.1, MB3660 devices before version 2.3, and MB3180 devices before version 2.1. The application enforces insufficient password requirements, making accounts susceptible to brute-force attacks [1], [2].

Exploitation

An attacker with network access to the device's web interface can brute-force account passwords. No authentication is required to initiate the attack, and the low skill level needed makes exploitation straightforward. The predictable mechanism of token generation (CVE-2019-9102) may further assist an attacker in bypassing CSRF protection to perform password-guessing attempts [1].

Impact

Successful brute-forcing of an account password would grant an attacker authenticated access to the web application. This access could be leveraged to retrieve sensitive information (including usernames), modify configurations, or chain with other vulnerabilities like stack-based buffer overflows (CVE-2019-9099) to execute arbitrary code or cause denial of service [1], [2].

Mitigation

Moxa has released firmware updates to address the vulnerability: MB3170/MB3270 to version 4.1, MB3280/MB3480 to version 3.1, MB3660 to version 2.3, and MB3180 to version 2.1. Users should update their devices to these or later versions. As of the publication date, no workaround is documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1], [2].