Sign-up

ID

VAR-201605-0029


CVE

CVE-2016-2295


TITLE

plural Moxa MiiNePort Vulnerabilities that can retrieve important plaintext information in device product firmware

Trust: 0.8

sources: JVNDB: JVNDB-2016-002971

DESCRIPTION

Moxa MiiNePort_E1_4641 devices with firmware 1.1.10 Build 09120714, MiiNePort_E1_7080 devices with firmware 1.1.10 Build 09120714, MiiNePort_E2_1242 devices with firmware 1.1 Build 10080614, MiiNePort_E2_4561 devices with firmware 1.1 Build 10080614, and MiiNePort E3 devices with firmware 1.0 Build 11071409 allow remote attackers to obtain sensitive cleartext information by reading a configuration file. plural Moxa MiiNePort Device product firmware contains a vulnerability that can capture important plaintext information.If a third party reads the configuration file, important plaintext information may be obtained. Moxa MiiNePort is an embedded device networking module designed for manufacturers to connect serial devices to a network connection. Moxa MiiNePort stores information in plain text and does not provide protection mechanisms, allowing attackers to use this vulnerability to view sensitive or configuration information. Moxa MiiNePort_E1_4641, etc. *Moxa MiiNePort - Multiple Vulnerabilities* Multiple vulnerabilities are present in Moxa MiiNePort. Following versions have been verified, but it is highly probable all other versions are affected as well. *About* Moxa provides a full spectrum of quality products for industrial networking, computing, and automation, and maintains a distribution and service network that reaches customers in more than 70 countries. Our products have connected over 30 million devices worldwide in a wide range of applications, including factory automation, smart rail, smart grid, intelligent transportation, oil & gas, marine, and mining. By continually improving staff expertise in a variety of technologies and markets, we aim to be the first choice for industrial automation solutions. Moxa's embedded serial-to-Ethernet device server modules are small, consume less power, and integration is easy. The MiiNePort E3 is empowered by the MiiNe, Moxa’s second generation SoC, which supports 10/100 Mbps Ethernet, up to 921.6 kbps serial baudrate, a versatile selection of ready-to-use operation modes, and requires only a small amount of power. By using Moxa’s innovative NetEZ technology, the MiiNePort E3 can be used to convert any device with a standard serial interface to an Ethernet enabled device in no time. In addition, the MiiNePort E3 is a compact embedded device server with an RJ45 connector, making it easy to fit into virtually any existing serial device. Weak Credentials Management - CVE-2016-2286 2. Sensitive information not protected - CVE-2016-2295 3. Vulnerable to Cross-Site Request Forgery - CVE-2016-2285 *Vulnerability Description* 1. *Weak Credentials Management* By default, no password is set on the device / application. The device / application does not enforce a mandatory password change mechanism, forcing users to a) set/change the password on first login, b) ensure the password meets complexity requirements, and c) change password periodically. This allows anyone to access the device over HTTP and Telnet. Access to the device provides full administrative functionality. 2. *Sensitive information not protected* Information such as Connect passwords, SNMP community strings is not protected and shown in clear-text when viewing and / or downloaded device config (HTTP / Telnet). 3. Vulnerable to Cross-Site Request Forgery There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability allows silent execution of unauthorized actions on the device such as password change, configuration parameter changes, saving modified configuration, & device reboot. +++++ -- Best Regards, Karn Ganeshen

Trust: 2.34

sources: NVD: CVE-2016-2295 // JVNDB: JVNDB-2016-002971 // CNVD: CNVD-2016-02875 // VULHUB: VHN-91114 // PACKETSTORM: 136891

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-02875

AFFECTED PRODUCTS

vendor:moxamodel:miineport e2 4561scope:eqversion:1.1

Trust: 1.0

vendor:moxamodel:miineport e1 4641scope:eqversion:1.1.10

Trust: 1.0

vendor:moxamodel:miineport e1 7080scope:eqversion:1.1.10

Trust: 1.0

vendor:moxamodel:miineport e2 1242scope:eqversion:1.1

Trust: 1.0

vendor:moxamodel:miineport e3scope:eqversion:1.0

Trust: 1.0

vendor:moxamodel:miineport e3scope: - version: -

Trust: 0.8

vendor:moxamodel:miineport e3scope:eqversion:1.0 build 11071409

Trust: 0.8

vendor:moxamodel:miineport e1 4641scope: - version: -

Trust: 0.8

vendor:moxamodel:miineport e1 4641scope:eqversion:1.1.10 build 09120714

Trust: 0.8

vendor:moxamodel:miineport e1 7080scope: - version: -

Trust: 0.8

vendor:moxamodel:miineport e1 7080scope:eqversion:1.1.10 build 09120714

Trust: 0.8

vendor:moxamodel:miineport e2 1242scope: - version: -

Trust: 0.8

vendor:moxamodel:miineport e2 1242scope:eqversion:1.1 build 10080614

Trust: 0.8

vendor:moxamodel:miineport e2 4561scope: - version: -

Trust: 0.8

vendor:moxamodel:miineport e2 4561scope:eqversion:1.1 build 10080614

Trust: 0.8

vendor:moxamodel:miineportscope: - version: -

Trust: 0.6

vendor:moxamodel:miineport e2 4561scope:eqversion: -

Trust: 0.6

vendor:moxamodel:miineport e3scope:eqversion: -

Trust: 0.6

vendor:moxamodel:miineport e1 4641scope:eqversion: -

Trust: 0.6

vendor:moxamodel:miineport e1 7080scope:eqversion: -

Trust: 0.6

vendor:moxamodel:miineport e2 1242scope:eqversion: -

Trust: 0.6

sources: CNVD: CNVD-2016-02875 // JVNDB: JVNDB-2016-002971 // CNNVD: CNNVD-201605-122 // NVD: CVE-2016-2295

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2016-2295
value: HIGH

Trust: 1.0

NVD: CVE-2016-2295
value: HIGH

Trust: 0.8

CNVD: CNVD-2016-02875
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201605-122
value: MEDIUM

Trust: 0.6

VULHUB: VHN-91114
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2016-2295
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-02875
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-91114
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2016-2295
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2016-02875 // VULHUB: VHN-91114 // JVNDB: JVNDB-2016-002971 // CNNVD: CNNVD-201605-122 // NVD: CVE-2016-2295

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.9

sources: VULHUB: VHN-91114 // JVNDB: JVNDB-2016-002971 // NVD: CVE-2016-2295

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201605-122

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201605-122

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-002971

PATCH
title:MiiNePort E3シリーズurl:http://japan.moxa.com/product/MiiNePort_E3.htm
Trust: 0.8
title:MiiNePort E1 シリーズurl:http://japan.moxa.com/product/MiiNePort_E1.htm
Trust: 0.8
title:MiiNePort E2シリーズurl:http://japan.moxa.com/product/MiiNePort_E2.htm
Trust: 0.8
title:Patch for Moxa MiiNePort Information Disclosure Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/75422
Trust: 0.6
title:Moxa MiiNePort Repair measures for information disclosure vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=61445
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2016-02875 // 
            
            
            
            JVNDB: JVNDB-2016-002971 // 
            
            
            
            CNNVD: CNNVD-201605-122

EXTERNAL IDS
db:NVDid:CVE-2016-2295
Trust: 3.2
db:ICS CERTid:ICSA-16-145-01
Trust: 2.5
db:PACKETSTORMid:136891
Trust: 1.3
db:JVNDBid:JVNDB-2016-002971
Trust: 0.8
db:CNNVDid:CNNVD-201605-122
Trust: 0.7
db:CNVDid:CNVD-2016-02875
Trust: 0.6
db:VULHUBid:VHN-91114
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-02875 // 
            
            
            
            VULHUB: VHN-91114 // 
            
            
            
            JVNDB: JVNDB-2016-002971 // 
            
            
            
            PACKETSTORM: 136891 // 
            
            
            
            CNNVD: CNNVD-201605-122 // 
            
            
            
            NVD: CVE-2016-2295

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-16-145-01
Trust: 2.5
url:https://packetstormsecurity.com/files/136891/moxa-miineport-weak-credential-management-csrf.html
Trust: 1.2
url:http://seclists.org/fulldisclosure/2016/may/7
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2295
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2295
Trust: 0.8
url:http://www.moxa.com/product/miineport_e1.htm
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-2295
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-2286
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2016-2285
Trust: 0.1
url:http://www.moxa.com/product/miineport_e2.htm
Trust: 0.1
url:http://www.moxa.com/product/miineport_e3.htm
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2016-02875 // 
            
            
            
            VULHUB: VHN-91114 // 
            
            
            
            JVNDB: JVNDB-2016-002971 // 
            
            
            
            PACKETSTORM: 136891 // 
            
            
            
            CNNVD: CNNVD-201605-122 // 
            
            
            
            NVD: CVE-2016-2295

CREDITS
Karn Ganeshen
Trust: 0.1
sources:
            
            
            PACKETSTORM: 136891

SOURCES
db:CNVDid:CNVD-2016-02875
db:VULHUBid:VHN-91114
db:JVNDBid:JVNDB-2016-002971
db:PACKETSTORMid:136891
db:CNNVDid:CNNVD-201605-122
db:NVDid:CVE-2016-2295

LAST UPDATE DATE
2025-04-13T23:21:07.714000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2016-02875date:2016-05-10T00:00:00
db:VULHUBid:VHN-91114date:2016-11-30T00:00:00
db:JVNDBid:JVNDB-2016-002971date:2016-06-02T00:00:00
db:CNNVDid:CNNVD-201605-122date:2016-06-01T00:00:00
db:NVDid:CVE-2016-2295date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CNVDid:CNVD-2016-02875date:2016-05-10T00:00:00
db:VULHUBid:VHN-91114date:2016-05-31T00:00:00
db:JVNDBid:JVNDB-2016-002971date:2016-06-02T00:00:00
db:PACKETSTORMid:136891date:2016-05-03T22:45:50
db:CNNVDid:CNNVD-201605-122date:2016-05-05T00:00:00
db:NVDid:CVE-2016-2295date:2016-05-31T01:59:07.290