CVE-2019-9102

Vulnerability

The cross-site request forgery (CSRF) protection mechanism in Moxa MGate MB3170, MB3270, MB3280, MB3480, MB3660, and MB3180 series protocol gateways uses a predictable token generation mechanism. Affected firmware versions include MB3170 and MB3270 series firmware version 4.0 or lower, MB3280 and MB3480 series firmware version 3.0 or lower, MB3660 series firmware version 2.2 or lower, and MB3180 series firmware version 2.0 or lower [1][2].

Exploitation

A remote attacker can exploit this vulnerability without authentication by predicting the CSRF token. The predictable token generation allows the attacker to forge requests that bypass the CSRF protection, enabling actions on behalf of an authenticated user [1][2].

Impact

Successful exploitation allows the attacker to perform unauthorized actions on the device as if they were an authenticated user. This can lead to configuration changes, data manipulation, or further compromise of the gateway and connected systems [1].

Mitigation

Moxa has released firmware updates to address this vulnerability. Users should update to the following fixed versions: MB3170 and MB3270 series to version 4.1, MB3180 series to version 2.1, MB3280 and MB3480 series to version 3.1, and MB3660 series to version 2.3 [1]. No workarounds are provided; upgrading is the recommended mitigation.