CVE-2019-9097

Vulnerability

A denial-of-service (DoS) vulnerability exists in Moxa MGate MB3170 and MB3270 series firmware versions 4.0 or lower, MB3280 and MB3480 series firmware versions 3.0 or lower, MB3660 series firmware versions 2.2 or lower, and MB3180 series firmware versions 2.0 or lower [1]. The issue is triggered by a high rate of transit traffic that causes a low-memory condition, leading to a device crash [1]. The vulnerability is identified as CVE-2019-9097 and is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) [2].

Exploitation

An attacker can exploit this vulnerability remotely over the network without requiring authentication or user interaction [1]. The attack vector is network-based, with low attack complexity. The attacker simply needs to send a sustained high rate of transit traffic to the affected device, exhausting available memory resources and triggering the denial of service [1]. No special privileges or system access are required.

Impact

Successful exploitation results in a denial-of-service condition, crashing the device and making it unavailable for its intended protocol gateway functions [1]. This impacts availability; the CVSS v3 base score for this vulnerability is not separately listed, but the advisory notes that similar low-memory conditions can be exploited remotely with a CVSS v3 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) [1]. The device must be manually restarted to restore normal operation.

Mitigation

Moxa has released firmware updates to address this vulnerability. Affected users should upgrade to the following fixed versions: MB3170/MB3270 series firmware version 4.1 or later, MB3280/MB3480 series firmware version 3.1 or later, MB3660 series firmware version 2.3 or later, and MB3180 series firmware version 2.1 or later [1]. No workarounds have been provided. Users are advised to apply the updates as soon as possible to prevent exploitation.