Details of VAR-202003-0528

ID

VAR-202003-0528

CVE

CVE-2019-9096

TITLE

plural Moxa MGate Vulnerability in requesting weak passwords on devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-014920

DESCRIPTION

An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. Insufficient password requirements for the MGate web application may allow an attacker to gain access by brute-forcing account passwords. plural Moxa MGate The device is vulnerable to a weak password request.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Moxa MB3170/MB3270/MB3180/MB3280/MB3480/MB3660 series is an advanced Ethernet gateway device produced by Taiwan Moxa Technology Co., Ltd. Many Moxa products have weak password vulnerabilities. Attackers can use this vulnerability to gain access through brute force attacks

Trust: 2.16

sources: NVD: CVE-2019-9096 // JVNDB: JVNDB-2019-014920 // CNVD: CNVD-2020-18366

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2020-18366

AFFECTED PRODUCTS

vendor:	moxa	model:	mb3180	scope:	lte	version:	2.0	Trust: 1.0
vendor:	moxa	model:	mb3270	scope:	lte	version:	4.0	Trust: 1.0
vendor:	moxa	model:	mb3170	scope:	lte	version:	4.0	Trust: 1.0
vendor:	moxa	model:	mb3280	scope:	lte	version:	3.0	Trust: 1.0
vendor:	moxa	model:	mb3660	scope:	lte	version:	2.2	Trust: 1.0
vendor:	moxa	model:	mb3480	scope:	lte	version:	3.0	Trust: 1.0
vendor:	moxa	model:	mgate mb3170	scope:	eq	version:	4.1	Trust: 0.8
vendor:	moxa	model:	mgate mb3180	scope:	eq	version:	2.1	Trust: 0.8
vendor:	moxa	model:	mgate mb3270	scope:	eq	version:	4.1	Trust: 0.8
vendor:	moxa	model:	mgate mb3280	scope:	eq	version:	3.1	Trust: 0.8
vendor:	moxa	model:	mgate mb3480	scope:	eq	version:	3.1	Trust: 0.8
vendor:	moxa	model:	mgate mb3660	scope:	eq	version:	2.3	Trust: 0.8
vendor:	moxa	model:	mb3180	scope:	lte	version:	<=2.0	Trust: 0.6
vendor:	moxa	model:	mb3280	scope:	lte	version:	<=3.0	Trust: 0.6
vendor:	moxa	model:	mb3480	scope:	lte	version:	<=3.0	Trust: 0.6
vendor:	moxa	model:	mb3660	scope:	lte	version:	<=2.2	Trust: 0.6
vendor:	moxa	model:	mb3170	scope:	lte	version:	<=4.0	Trust: 0.6
vendor:	moxa	model:	mb3270	scope:	lte	version:	<=4.0	Trust: 0.6

sources: CNVD: CNVD-2020-18366 // JVNDB: JVNDB-2019-014920 // NVD: CVE-2019-9096

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-9096
value:	CRITICAL
Trust: 1.0
cve@mitre.org:	CVE-2019-9096
value:	CRITICAL
Trust: 1.0
NVD:	JVNDB-2019-014920
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2020-18366
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202002-1195
value:	CRITICAL
Trust: 0.6

nvd@nist.gov:	CVE-2019-9096
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2019-014920
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
CNVD:	CNVD-2020-18366
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2019-9096
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2019-9096
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.0
NVD:	JVNDB-2019-014920
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2020-18366 // JVNDB: JVNDB-2019-014920 // CNNVD: CNNVD-202002-1195 // NVD: CVE-2019-9096 // NVD: CVE-2019-9096

PROBLEMTYPE DATA

problemtype:

CWE-521

Trust: 1.8

sources: JVNDB: JVNDB-2019-014920 // NVD: CVE-2019-9096

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-1195

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202002-1195

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-014920

PATCH

title:	MB3170/MB3180/MB3270/MB3280/MB3480/MB3660 Series Protocol Gateways Vulnerabilities	url:	https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities	Trust: 0.8
title:	Patch for Multiple Moxa products weak password vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/209845	Trust: 0.6
title:	Multiple Moxa Product security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111708	Trust: 0.6

sources: CNVD: CNVD-2020-18366 // JVNDB: JVNDB-2019-014920 // CNNVD: CNNVD-202002-1195

EXTERNAL IDS

db:	ICS CERT	id:	ICSA-20-056-01	Trust: 3.0
db:	NVD	id:	CVE-2019-9096	Trust: 3.0
db:	JVNDB	id:	JVNDB-2019-014920	Trust: 0.8
db:	CNVD	id:	CNVD-2020-18366	Trust: 0.6
db:	AUSCERT	id:	ESB-2020.0720	Trust: 0.6
db:	CNNVD	id:	CNNVD-202002-1195	Trust: 0.6

sources: CNVD: CNVD-2020-18366 // JVNDB: JVNDB-2019-014920 // CNNVD: CNNVD-202002-1195 // NVD: CVE-2019-9096

REFERENCES

url:	https://www.us-cert.gov/ics/advisories/icsa-20-056-01	Trust: 3.6
url:	https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2019-9096	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9096	Trust: 0.8
url:	https://www.auscert.org.au/bulletins/esb-2020.0720/	Trust: 0.6

sources: CNVD: CNVD-2020-18366 // JVNDB: JVNDB-2019-014920 // CNNVD: CNNVD-202002-1195 // NVD: CVE-2019-9096

CREDITS

Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar, and Maxim Kozhevnikov from Positive Technologies

Trust: 0.6

sources: CNNVD: CNNVD-202002-1195

SOURCES

db:	CNVD	id:	CNVD-2020-18366
db:	JVNDB	id:	JVNDB-2019-014920
db:	CNNVD	id:	CNNVD-202002-1195
db:	NVD	id:	CVE-2019-9096

LAST UPDATE DATE

2024-11-23T21:36:03.750000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2020-18366	date:	2020-03-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-014920	date:	2020-03-30T00:00:00
db:	CNNVD	id:	CNNVD-202002-1195	date:	2020-03-18T00:00:00
db:	NVD	id:	CVE-2019-9096	date:	2024-11-21T04:50:58.280

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2020-18366	date:	2020-03-20T00:00:00
db:	JVNDB	id:	JVNDB-2019-014920	date:	2020-03-30T00:00:00
db:	CNNVD	id:	CNNVD-202002-1195	date:	2020-02-25T00:00:00
db:	NVD	id:	CVE-2019-9096	date:	2020-03-11T15:15:16.577