CVE-2019-9096

An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. Insufficient password requirements for the MGate web application may allow an attacker to gain access by brute-forcing account passwords.

CVSS v3 9.8 CRITICAL
CVSS v2.0 5.0 MEDIUM

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities	Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-056-01	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:moxa:mb3170_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:moxa:mb3170:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:moxa:mb3270_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:moxa:mb3270:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:moxa:mb3180_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:moxa:mb3180:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:moxa:mb3280_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:moxa:mb3280:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:moxa:mb3480_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:moxa:mb3480:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:moxa:mb3660_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:moxa:mb3660:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-03-11 15:15

Updated : 2023-12-10 13:13

NVD link : CVE-2019-9096

Mitre link : CVE-2019-9096

CVE.ORG link : CVE-2019-9096

JSON object : View

Products Affected

moxa

mb3170_firmware
mb3480_firmware
mb3170
mb3180
mb3270_firmware
mb3180_firmware
mb3280
mb3660
mb3270
mb3280_firmware
mb3660_firmware
mb3480

CWE

CWE-521

Weak Password Requirements

{"id": "CVE-2019-9096", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-03-11T15:15:16.577", "references": [{"url": "https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.us-cert.gov/ics/advisories/icsa-20-056-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-521"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. Insufficient password requirements for the MGate web application may allow an attacker to gain access by brute-forcing account passwords."}, {"lang": "es", "value": "Se detect\u00f3 un problema en los dispositivos Moxa MGate MB3170 y MB3270 versiones anteriores a la versi\u00f3n 4.1, los dispositivos MB3280 y MB3480 versiones anteriores a la versi\u00f3n 3.1, los dispositivos MB3660 versiones anteriores a la versi\u00f3n 2.3, y los dispositivos MB3180 versiones anteriores a la versi\u00f3n 2.1. Unos requerimientos de contrase\u00f1a insuficientes para la aplicaci\u00f3n web de MGate puede permitir a un atacante conseguir acceso por medio de brute-forcing de las contrase\u00f1as de las cuentas."}], "lastModified": "2020-03-17T14:41:19.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:mb3170_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA77E3A9-35F8-46C1-B8DE-9647AFD61639", "versionEndIncluding": "4.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:mb3170:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "02331350-F101-4848-ACC8-128F71158A2B"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:mb3270_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "320E0EA8-031F-4FB5-A31E-383CBAB1A7B7", "versionEndIncluding": "4.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:mb3270:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5B20B91C-1A84-4B6B-9057-ABC2374E749B"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:mb3180_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0627A8C8-E7D1-4005-BA45-DD5713A66974", "versionEndIncluding": "2.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:mb3180:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4CF26E0E-2E1A-4365-8F7D-E668A2856F57"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:mb3280_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE9A7F7F-B24E-40D6-9316-1BC67A826D22", "versionEndIncluding": "3.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:mb3280:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "706A1768-5776-48CC-A4ED-1F73841C9F9A"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:mb3480_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21613C9B-C822-4B51-98D5-88C4A0B7F852", "versionEndIncluding": "3.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:mb3480:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "9B9256FD-5121-4009-8672-D9637053E808"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:mb3660_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "634112A7-C567-43E8-BB61-73779CB43C6D", "versionEndIncluding": "2.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:mb3660:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1DC4BC5A-4EDA-448B-B312-C9A9F906E4DC"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}