Details of VAR-201512-0071

ID

VAR-201512-0071

CVE

CVE-2015-6480

TITLE

Moxa OnCell Central Manager Server MessageBrokerServlet Authentication Bypass Vulnerability

Trust: 0.8

sources: IVD: 4979ed48-1e60-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-06672

DESCRIPTION

The MessageBrokerServlet servlet in Moxa OnCell Central Manager before 2.2 does not require authentication, which allows remote attackers to obtain administrative access via a command, as demonstrated by the addUserAndGroup action. Authentication is not required to exploit this vulnerability.The specific flaw exists within the MessageBrokerServlet servlet, which does not ensure a user is authenticated prior to accepting commands. An attacker can exploit this condition to perform various actions, including addUserAndGroup, to take full control of the product and achieve code execution on all managed hosts. There is a security vulnerability in the implementation. Moxa OnCell Central Manager is a set of private IP management software from Moxa. The software supports the configuration, management, and monitoring of remote devices, etc. over a private network over a network. An attacker could use this vulnerability to bypass the authentication mechanism and perform unauthorized operations. This may aid in further attacks. The vulnerability is caused by the fact that the program does not require authentication

Trust: 4.41

sources: NVD: CVE-2015-6480 // JVNDB: JVNDB-2015-006487 // ZDI: ZDI-15-452 // CNVD: CNVD-2015-06672 // CNVD: CNVD-2015-07812 // CNNVD: CNNVD-201510-759 // BID: 76934 // IVD: 4979ed48-1e60-11e6-abef-000c29c66e3d // VULHUB: VHN-84441

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.4

sources: IVD: 4979ed48-1e60-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-06672 // CNVD: CNVD-2015-07812

AFFECTED PRODUCTS

vendor:	moxa	model:	oncell central manager	scope:	lt	version:	2.2	Trust: 1.4
vendor:	moxa	model:	oncell central manager	scope:	-	version:	-	Trust: 1.3
vendor:	moxa	model:	oncell central manager	scope:	lte	version:	2.0	Trust: 1.0
vendor:	moxa	model:	oncell central manager	scope:	eq	version:	2.0	Trust: 0.6
vendor:	moxa	model:	oncell central manager server	scope:	eq	version:	0	Trust: 0.3
vendor:	moxa	model:	oncell central manager	scope:	ne	version:	2.2	Trust: 0.3
vendor:	oncell central manager	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 4979ed48-1e60-11e6-abef-000c29c66e3d // ZDI: ZDI-15-452 // CNVD: CNVD-2015-06672 // CNVD: CNVD-2015-07812 // BID: 76934 // JVNDB: JVNDB-2015-006487 // CNNVD: CNNVD-201511-421 // NVD: CVE-2015-6480

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-6480
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-6480
value:	HIGH
Trust: 0.8
ZDI:	CVE-2015-6480
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2015-06672
value:	HIGH
Trust: 0.6
CNVD:	CNVD-2015-07812
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201511-421
value:	HIGH
Trust: 0.6
IVD:	4979ed48-1e60-11e6-abef-000c29c66e3d
value:	HIGH
Trust: 0.2
VULHUB:	VHN-84441
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-6480
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 2.5
CNVD:	CNVD-2015-06672
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2015-07812
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	4979ed48-1e60-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-84441
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-6480
baseSeverity:	HIGH
baseScore:	8.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	3.9
impactScore:	3.7
version:	3.0
Trust: 1.0

sources: IVD: 4979ed48-1e60-11e6-abef-000c29c66e3d // ZDI: ZDI-15-452 // CNVD: CNVD-2015-06672 // CNVD: CNVD-2015-07812 // VULHUB: VHN-84441 // JVNDB: JVNDB-2015-006487 // CNNVD: CNNVD-201511-421 // NVD: CVE-2015-6480

PROBLEMTYPE DATA

problemtype:

CWE-287

Trust: 1.9

sources: VULHUB: VHN-84441 // JVNDB: JVNDB-2015-006487 // NVD: CVE-2015-6480

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201510-759 // CNNVD: CNNVD-201511-421

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201510-759

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006487

PATCH

title:	OnCell Central Manager	url:	http://www.moxa.com/support/sarch_result.aspx?type=soft&prod_id=3116&type_id=6	Trust: 0.8
title:	This vulnerability is being disclosed publicly without a patch in accordance with the ZDI vulnerability disclosure policy on lack of vendor response.02/05/2015 - ZDI sent reports to ICS-CERT02/09/2015 - ZDI receieved an ACK and ticket # from ICS-CERT04/14/2015 - ZDI recieved an update from ICS-CERT that these cases were in work, but "months out"04/15/2015 - ZDI reminded ISC-CERT of the prediacted disclosure date, but indicated some flexibility if the vendor could come close05/14/2015 - ICS-CERT advised ZDI that the vendor could not patch until August05/14/2015 - ZDI agreed to go out to August 509/14/2015 - After getting a response that other Moxa cases had patched, but seemingly not these, ZDI asked ICS-CERT if these did not patch with the August 27 patch09/15/2015 - ICS-CERT indicated that they would reach out to the vendor for clarification and requested extension to do so. ZDI declined an extension, but indicated we "will wait a couple of days, for a status."09/18/2015 - ZDI notified ICS-CERT of the intent to 0-day the reports-- Mitigation:Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in and numerous other Microsoft Knowledge Base articles.-- Vendor Patch:See https://ics-cert.us-cert.gov/advisories/ICSA-15-328-01	url:	http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx	Trust: 0.7
title:	Patch for Moxa OnCell Central Manager Software Authentication Bypass Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/67228	Trust: 0.6
title:	Moxa OnCell Central Manager Software Remediation measures for authorization problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=58856	Trust: 0.6

sources: ZDI: ZDI-15-452 // CNVD: CNVD-2015-07812 // JVNDB: JVNDB-2015-006487 // CNNVD: CNNVD-201511-421

EXTERNAL IDS

db:	NVD	id:	CVE-2015-6480	Trust: 4.3
db:	ICS CERT	id:	ICSA-15-328-01	Trust: 3.4
db:	ZDI	id:	ZDI-15-452	Trust: 3.3
db:	BID	id:	76934	Trust: 1.6
db:	CNNVD	id:	CNNVD-201511-421	Trust: 0.9
db:	CNVD	id:	CNVD-2015-06672	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-006487	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-2526	Trust: 0.7
db:	CNVD	id:	CNVD-2015-07812	Trust: 0.6
db:	CNNVD	id:	CNNVD-201510-759	Trust: 0.6
db:	IVD	id:	4979ED48-1E60-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	SEEBUG	id:	SSVID-89939	Trust: 0.1
db:	VULHUB	id:	VHN-84441	Trust: 0.1

sources: IVD: 4979ed48-1e60-11e6-abef-000c29c66e3d // ZDI: ZDI-15-452 // CNVD: CNVD-2015-06672 // CNVD: CNVD-2015-07812 // VULHUB: VHN-84441 // BID: 76934 // JVNDB: JVNDB-2015-006487 // CNNVD: CNNVD-201510-759 // CNNVD: CNNVD-201511-421 // NVD: CVE-2015-6480

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-15-328-01	Trust: 4.1
url:	http://zerodayinitiative.com/advisories/zdi-15-452/	Trust: 1.7
url:	http://www.zerodayinitiative.com/advisories/zdi-15-452/	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-6480	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-6480	Trust: 0.8
url:	http://technet.microsoft.com/en-us/library/cc725770%28ws.10%29.aspx	Trust: 0.7
url:	http://www.securityfocus.com/bid/76934	Trust: 0.6
url:	http://www.moxa.com/product/oncell_central_manager.htm	Trust: 0.3

sources: ZDI: ZDI-15-452 // CNVD: CNVD-2015-06672 // CNVD: CNVD-2015-07812 // VULHUB: VHN-84441 // BID: 76934 // JVNDB: JVNDB-2015-006487 // CNNVD: CNNVD-201510-759 // CNNVD: CNNVD-201511-421 // NVD: CVE-2015-6480

CREDITS

Andrea Micalizzi (rgod)

Trust: 1.6

sources: ZDI: ZDI-15-452 // BID: 76934 // CNNVD: CNNVD-201510-759

SOURCES

db:	IVD	id:	4979ed48-1e60-11e6-abef-000c29c66e3d
db:	ZDI	id:	ZDI-15-452
db:	CNVD	id:	CNVD-2015-06672
db:	CNVD	id:	CNVD-2015-07812
db:	VULHUB	id:	VHN-84441
db:	BID	id:	76934
db:	JVNDB	id:	JVNDB-2015-006487
db:	CNNVD	id:	CNNVD-201510-759
db:	CNNVD	id:	CNNVD-201511-421
db:	NVD	id:	CVE-2015-6480

LAST UPDATE DATE

2025-04-12T23:14:16.669000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-15-452	date:	2015-09-29T00:00:00
db:	CNVD	id:	CNVD-2015-06672	date:	2015-10-22T00:00:00
db:	CNVD	id:	CNVD-2015-07812	date:	2015-11-27T00:00:00
db:	VULHUB	id:	VHN-84441	date:	2015-12-21T00:00:00
db:	BID	id:	76934	date:	2015-12-08T22:15:00
db:	JVNDB	id:	JVNDB-2015-006487	date:	2015-12-22T00:00:00
db:	CNNVD	id:	CNNVD-201510-759	date:	2015-10-30T00:00:00
db:	CNNVD	id:	CNNVD-201511-421	date:	2015-12-22T00:00:00
db:	NVD	id:	CVE-2015-6480	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	IVD	id:	4979ed48-1e60-11e6-abef-000c29c66e3d	date:	2015-10-20T00:00:00
db:	ZDI	id:	ZDI-15-452	date:	2015-09-29T00:00:00
db:	CNVD	id:	CNVD-2015-06672	date:	2015-10-20T00:00:00
db:	CNVD	id:	CNVD-2015-07812	date:	2015-11-27T00:00:00
db:	VULHUB	id:	VHN-84441	date:	2015-12-21T00:00:00
db:	BID	id:	76934	date:	2015-09-29T00:00:00
db:	JVNDB	id:	JVNDB-2015-006487	date:	2015-12-22T00:00:00
db:	CNNVD	id:	CNNVD-201510-759	date:	2015-09-29T00:00:00
db:	CNNVD	id:	CNNVD-201511-421	date:	2015-11-25T00:00:00
db:	NVD	id:	CVE-2015-6480	date:	2015-12-21T11:59:05.093