CVE-2018-11422
📋 TL;DR
CVE-2018-11422 is a critical vulnerability in Moxa OnCell G3100-HSPA Series cellular gateways where all configuration communications are sent in plain text without authentication. This allows attackers to intercept, modify, or inject commands including device reboot, configuration changes, and firmware updates. Organizations using these devices in version 1.6 Build 17100315 or earlier are affected.
💻 Affected Systems
- Moxa OnCell G3100-HSPA Series
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover allowing firmware replacement, configuration alteration, device bricking, or use as network pivot point for further attacks.
Likely Case
Configuration theft or modification leading to network disruption, data interception, or unauthorized access to connected systems.
If Mitigated
Limited impact if devices are isolated in secure network segments with strict access controls and monitoring.
🎯 Exploit Status
Exploitation requires network access to the device but no authentication or special tools beyond network packet capture/modification.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.7 or later
Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/oncell-g3100-hspa-series-vulnerabilities
Restart Required: Yes
Instructions:
1. Download firmware version 1.7 or later from Moxa support site. 2. Backup current configuration. 3. Upload new firmware via web interface or command line. 4. Reboot device. 5. Restore configuration if needed.
🔧 Temporary Workarounds
Network segmentation and isolation
allPlace devices in isolated VLANs with strict firewall rules limiting access to management interfaces.
VPN tunnel for management
allRequire VPN connection for all management access to encrypt configuration traffic.
🧯 If You Can't Patch
- Isolate devices behind firewalls with strict inbound/outbound rules
- Implement network monitoring for unusual traffic to device management ports
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or serial console. If version is 1.6 Build 17100315 or earlier, device is vulnerable.Check Version:
Check via web interface at System > System Information or via serial console using 'show version'Verify Fix Applied:
Verify firmware version is 1.7 or later. Test configuration changes require authentication.📡 Detection & Monitoring
Log Indicators:
- Unauthorized configuration changes
- Unexpected firmware update attempts
- Multiple failed authentication attempts
Network Indicators:
- Plain text configuration traffic on management ports
- Unusual source IPs accessing device management interface
SIEM Query:
source_ip=[device_ip] AND (port=23 OR port=80 OR port=443) AND protocol=TCP AND payload_contains="config" OR "firmware"