Details of VAR-202402-3319

ID

VAR-202402-3319

CVE

CVE-2024-0387

TITLE

plural Moxa Inc. Product vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2024-019584

DESCRIPTION

The EDS-4000/G4000 Series prior to version 3.2 includes IP forwarding capabilities that users cannot deactivate. An attacker may be able to send requests to the product and have it forwarded to the target. An attacker can bypass access controls or hide the source of malicious requests. EDS-4008 firmware, EDS-4009 firmware, EDS-4012 firmware etc. Moxa Inc. There are unspecified vulnerabilities in the product.Information may be obtained and information may be tampered with. MOXA EDS-4000/G4000 Series is a series of industrial managed Ethernet switches from China's MOXA company. There is a security bypass vulnerability in MOXA EDS-4000/G4000 Series versions prior to 3.2

Trust: 2.16

sources: NVD: CVE-2024-0387 // JVNDB: JVNDB-2024-019584 // CNVD: CNVD-2024-41852

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-41852

AFFECTED PRODUCTS

vendor:	moxa	model:	eds-g4008	scope:	lte	version:	3.2	Trust: 1.0
vendor:	moxa	model:	eds-g4014	scope:	lte	version:	3.2	Trust: 1.0
vendor:	moxa	model:	eds-4014	scope:	lte	version:	3.2	Trust: 1.0
vendor:	moxa	model:	eds-g4012	scope:	lte	version:	3.2	Trust: 1.0
vendor:	moxa	model:	eds-4008	scope:	lte	version:	3.2	Trust: 1.0
vendor:	moxa	model:	eds-4012	scope:	lte	version:	3.2	Trust: 1.0
vendor:	moxa	model:	eds-4009	scope:	lte	version:	3.2	Trust: 1.0
vendor:	moxa	model:	eds-4014	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	eds-g4008	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	eds-g4012	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	eds-4008	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	eds-g4014	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	eds-4012	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	eds-4009	scope:	-	version:	-	Trust: 0.8
vendor:	moxa	model:	eds-4000/g4000 series	scope:	lt	version:	3.2	Trust: 0.6

sources: CNVD: CNVD-2024-41852 // JVNDB: JVNDB-2024-019584 // NVD: CVE-2024-0387

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@moxa.com:	CVE-2024-0387
value:	MEDIUM
Trust: 1.0
nvd@nist.gov:	CVE-2024-0387
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2024-0387
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2024-41852
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-41852
severity:	MEDIUM
baseScore:	5.2
vectorString:	AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	5.1
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

psirt@moxa.com:	CVE-2024-0387
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	2.3
impactScore:	3.7
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2024-0387
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.5
version:	3.1
Trust: 1.0
NVD:	CVE-2024-0387
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-41852 // JVNDB: JVNDB-2024-019584 // NVD: CVE-2024-0387 // NVD: CVE-2024-0387

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-1188	Trust: 1.0
problemtype:	Initializing Resources to Unsafe Default Values (CWE-1188) [ others ]	Trust: 0.8
problemtype:	Lack of information (CWE-noinfo) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-019584 // NVD: CVE-2024-0387

PATCH

title:

Patch for MOXA EDS-4000/G4000 Series Security Bypass Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/601596

Trust: 0.6

sources: CNVD: CNVD-2024-41852

EXTERNAL IDS

db:	NVD	id:	CVE-2024-0387	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-019584	Trust: 0.8
db:	CNVD	id:	CNVD-2024-41852	Trust: 0.6

sources: CNVD: CNVD-2024-41852 // JVNDB: JVNDB-2024-019584 // NVD: CVE-2024-0387

REFERENCES

url:	https://www.moxa.com/en/support/product-support/security-advisory/mpsa-237129-eds-4000-g4000-series-ip-forwarding-vulnerability?viewmode=0	Trust: 2.4
url:	https://nvd.nist.gov/vuln/detail/cve-2024-0387	Trust: 0.8

sources: CNVD: CNVD-2024-41852 // JVNDB: JVNDB-2024-019584 // NVD: CVE-2024-0387

SOURCES

db:	CNVD	id:	CNVD-2024-41852
db:	JVNDB	id:	JVNDB-2024-019584
db:	NVD	id:	CVE-2024-0387

LAST UPDATE DATE

2025-03-05T22:59:52.959000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-41852	date:	2024-10-28T00:00:00
db:	JVNDB	id:	JVNDB-2024-019584	date:	2025-03-04T01:35:00
db:	NVD	id:	CVE-2024-0387	date:	2025-02-25T22:56:10.743

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-41852	date:	2024-10-28T00:00:00
db:	JVNDB	id:	JVNDB-2024-019584	date:	2025-03-04T00:00:00
db:	NVD	id:	CVE-2024-0387	date:	2024-02-26T16:27:49.890