Sign-up

ID

VAR-202003-0535


CVE

CVE-2019-9104


TITLE

plural Moxa MGate Inadequate protection of credentials on devices

Trust: 0.8

sources: JVNDB: JVNDB-2019-014863

DESCRIPTION

An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. The application's configuration file contains parameters that represent passwords in cleartext. plural Moxa MGate Devices contain vulnerabilities in insufficient protection of credentials.Information may be obtained. Moxa MB3170/MB3270/MB3180/MB3280/MB3480/MB3660 series is an advanced Ethernet gateway device produced by Taiwan Moxa Technology Co., Ltd. Many Moxa products have information disclosure vulnerabilities that attackers can use to access administrative accounts

Trust: 2.25

sources: NVD: CVE-2019-9104 // JVNDB: JVNDB-2019-014863 // CNVD: CNVD-2020-18360 // VULMON: CVE-2019-9104

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-18360

AFFECTED PRODUCTS

vendor:moxamodel:mb3180scope:lteversion:2.0

Trust: 1.0

vendor:moxamodel:mb3270scope:lteversion:4.0

Trust: 1.0

vendor:moxamodel:mb3170scope:lteversion:4.0

Trust: 1.0

vendor:moxamodel:mb3280scope:lteversion:3.0

Trust: 1.0

vendor:moxamodel:mb3660scope:lteversion:2.2

Trust: 1.0

vendor:moxamodel:mb3480scope:lteversion:3.0

Trust: 1.0

vendor:moxamodel:mgate mb3170scope:eqversion:4.1

Trust: 0.8

vendor:moxamodel:mgate mb3180scope:eqversion:2.1

Trust: 0.8

vendor:moxamodel:mgate mb3270scope:eqversion:4.1

Trust: 0.8

vendor:moxamodel:mgate mb3280scope:eqversion:3.1

Trust: 0.8

vendor:moxamodel:mgate mb3480scope:eqversion:3.1

Trust: 0.8

vendor:moxamodel:mgate mb3660scope:eqversion:2.3

Trust: 0.8

vendor:moxamodel:mb3180scope:lteversion:<=2.0

Trust: 0.6

vendor:moxamodel:mb3280scope:lteversion:<=3.0

Trust: 0.6

vendor:moxamodel:mb3480scope:lteversion:<=3.0

Trust: 0.6

vendor:moxamodel:mb3660scope:lteversion:<=2.2

Trust: 0.6

vendor:moxamodel:mb3170scope:lteversion:<=4.0

Trust: 0.6

vendor:moxamodel:mb3270scope:lteversion:<=4.0

Trust: 0.6

sources: CNVD: CNVD-2020-18360 // JVNDB: JVNDB-2019-014863 // NVD: CVE-2019-9104

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-9104
value: HIGH

Trust: 1.0

cve@mitre.org: CVE-2019-9104
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2019-014863
value: HIGH

Trust: 0.8

CNVD: CNVD-2020-18360
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202002-1193
value: HIGH

Trust: 0.6

VULMON: CVE-2019-9104
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-9104
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2019-014863
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

CNVD: CNVD-2020-18360
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-9104
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

cve@mitre.org: CVE-2019-9104
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.0

NVD: JVNDB-2019-014863
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-18360 // VULMON: CVE-2019-9104 // JVNDB: JVNDB-2019-014863 // CNNVD: CNNVD-202002-1193 // NVD: CVE-2019-9104 // NVD: CVE-2019-9104

PROBLEMTYPE DATA

problemtype:CWE-522

Trust: 1.8

problemtype:CWE-312

Trust: 1.0

sources: JVNDB: JVNDB-2019-014863 // NVD: CVE-2019-9104

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202002-1193

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202002-1193

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-014863

PATCH
title:MB3170/MB3180/MB3270/MB3280/MB3480/MB3660 Series Protocol Gateways Vulnerabilitiesurl:https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities
Trust: 0.8
title:Patch for Multiple Moxa product information disclosure vulnerabilities (CNVD-2020-18360)url:https://www.cnvd.org.cn/patchInfo/show/209847
Trust: 0.6
title:Multiple Moxa Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=111951
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-18360 // 
            
            
            
            JVNDB: JVNDB-2019-014863 // 
            
            
            
            CNNVD: CNNVD-202002-1193

EXTERNAL IDS
db:ICS CERTid:ICSA-20-056-01
Trust: 3.1
db:NVDid:CVE-2019-9104
Trust: 3.1
db:JVNDBid:JVNDB-2019-014863
Trust: 0.8
db:CNVDid:CNVD-2020-18360
Trust: 0.6
db:AUSCERTid:ESB-2020.0720
Trust: 0.6
db:CNNVDid:CNNVD-202002-1193
Trust: 0.6
db:VULMONid:CVE-2019-9104
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-18360 // 
            
            
            
            VULMON: CVE-2019-9104 // 
            
            
            
            JVNDB: JVNDB-2019-014863 // 
            
            
            
            CNNVD: CNNVD-202002-1193 // 
            
            
            
            NVD: CVE-2019-9104

REFERENCES
url:https://www.us-cert.gov/ics/advisories/icsa-20-056-01
Trust: 3.7
url:https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2019-9104
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9104
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.0720/
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/312.html
Trust: 0.1
url:https://cwe.mitre.org/data/definitions/522.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2020-18360 // 
            
            
            
            VULMON: CVE-2019-9104 // 
            
            
            
            JVNDB: JVNDB-2019-014863 // 
            
            
            
            CNNVD: CNNVD-202002-1193 // 
            
            
            
            NVD: CVE-2019-9104

CREDITS
Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar, and Maxim Kozhevnikov from Positive Technologies
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-202002-1193

SOURCES
db:CNVDid:CNVD-2020-18360
db:VULMONid:CVE-2019-9104
db:JVNDBid:JVNDB-2019-014863
db:CNNVDid:CNNVD-202002-1193
db:NVDid:CVE-2019-9104

LAST UPDATE DATE
2024-11-23T21:36:03.720000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-18360date:2020-03-20T00:00:00
db:VULMONid:CVE-2019-9104date:2021-07-21T00:00:00
db:JVNDBid:JVNDB-2019-014863date:2020-03-24T00:00:00
db:CNNVDid:CNNVD-202002-1193date:2020-03-13T00:00:00
db:NVDid:CVE-2019-9104date:2024-11-21T04:50:59.400

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-18360date:2020-03-20T00:00:00
db:VULMONid:CVE-2019-9104date:2020-03-11T00:00:00
db:JVNDBid:JVNDB-2019-014863date:2020-03-24T00:00:00
db:CNNVDid:CNNVD-202002-1193date:2020-02-25T00:00:00
db:NVDid:CVE-2019-9104date:2020-03-11T15:15:17.247