ICSA-21-357-01 Moxa MGate Protocol Gateways

Vulnerability

CVE-2021-4161 is a cleartext transmission of sensitive information vulnerability (CWE-319) affecting the HTTP web server of Moxa MGate MB3180, MB3280, and MB3480 series protocol gateways. The vulnerability exists in firmware versions MB3180: 2.2 or lower, MB3280: 4.1 or lower, and MB3480: 3.2 or lower [1]. When accessed over HTTP (rather than HTTPS), the gateway transmits login credentials in plaintext, which can be intercepted by an attacker on the same network [1].

Exploitation

An attacker with network access to the affected gateway can sniff traffic passing between the device and a legitimate administrator. The attacker does not require authentication or user interaction [1]. By capturing the unencrypted HTTP session, the attacker can extract login credential details, including the administrator password [1]. The attack is remotely exploitable with low complexity, requiring only that the HTTP console function is enabled (default setting) and that the attacker can monitor network traffic [1].

Impact

Successful exploitation allows the attacker to obtain administrative credentials for the gateway's web interface [1]. With admin rights, the attacker can fully compromise the device, leading to loss of confidentiality, integrity, and availability of the gateway and potentially the connected Modbus network [1]. The CVSS v3 base score is 9.8 (Critical) [1].

Mitigation

Moxa recommends enabling HTTPS and disabling the HTTP console function under 'Console Settings' to prevent cleartext transmission [1]. Users should also refer to the "Moxa Security Hardening Guide for MGate MB3000 Series" for additional security measures [1]. As of the advisory date (December 2021), no firmware patch is mentioned; the recommended mitigation is a configuration change [1]. CISA further advises minimizing network exposure and isolating control system networks behind firewalls [1].