CVE-2018-11426 – CVE-2018-11426 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2018-11426?

CVE-2018-11426 has a CVSS score of 9.8 (CRITICAL). CVE-2018-11426 is an authentication bypass vulnerability in Moxa OnCell G3100-HSPA Series devices where weak cookie parameters allow attackers to brute force access to the web interface. This affects all functions except password change, potentially giving attackers full administrative control. Organizations using affected Moxa cellular gateways are vulnerable.

📋 TL;DR

CVE-2018-11426 is an authentication bypass vulnerability in Moxa OnCell G3100-HSPA Series devices where weak cookie parameters allow attackers to brute force access to the web interface. This affects all functions except password change, potentially giving attackers full administrative control. Organizations using affected Moxa cellular gateways are vulnerable.

💻 Affected Systems

Products:

Moxa OnCell G3100-HSPA Series

Versions: version 1.4 Build 16062919 and prior

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running affected firmware versions are vulnerable regardless of configuration.

📦 What is this software?

Oncell G3150 Hspa Firmware by Moxa

View all CVEs affecting Oncell G3150 Hspa Firmware →

Oncell G3150 Hspa T Firmware by Moxa

View all CVEs affecting Oncell G3150 Hspa T Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the cellular gateway allowing attackers to reconfigure network settings, intercept traffic, disable security controls, and use the device as an entry point into internal networks.

🟠

Likely Case

Unauthorized access to the web interface enabling attackers to view configuration data, modify device settings, and potentially disrupt industrial operations that depend on these cellular gateways.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and access controls, though the authentication bypass remains a serious vulnerability.

🌐 Internet-Facing: HIGH - These cellular gateways are often deployed at remote sites with internet connectivity, making them directly accessible to attackers who can brute force the weak authentication.

🏢 Internal Only: MEDIUM - Even internally, the vulnerability allows unauthorized access, though the attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability involves brute forcing predictable cookie values, which is straightforward with automated tools. Public advisories include technical details that facilitate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.5 or later

Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/oncell-g3100-hspa-series-vulnerabilities

Restart Required: Yes

Instructions:

1. Download firmware version 1.5 or later from Moxa support portal. 2. Log into the web interface (if not compromised). 3. Navigate to Maintenance > Firmware Upgrade. 4. Upload the new firmware file. 5. Wait for the device to reboot automatically.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict access to the web interface using firewall rules to only allow connections from trusted management networks.

Disable Unused Interfaces

all

Disable any unnecessary network interfaces or services on the device to reduce attack surface.

🧯 If You Can't Patch

Isolate affected devices in a separate network segment with strict firewall rules limiting inbound and outbound connections.
Implement network monitoring and intrusion detection specifically for traffic to/from these devices to detect exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check the firmware version via the web interface at System > System Information. If version is 1.4 Build 16062919 or earlier, the device is vulnerable.

Check Version:

No CLI command available; must use web interface at System > System Information page.

Verify Fix Applied:

After upgrading, verify the firmware version shows 1.5 or later in System > System Information. Test authentication by attempting to access the interface with invalid credentials.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful access without valid credentials
Access from unusual IP addresses to administrative pages

Network Indicators:

Brute force patterns to the web interface port (typically 80/443)
Administrative access from unexpected network segments

SIEM Query:

source_ip=* dest_ip=[device_ip] dest_port=80 OR dest_port=443 (http_status=200 AND NOT user_agent contains "browser") OR (http_method=POST AND uri contains "login")

📊 Metadata

CVE ID: CVE-2018-11426

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: July 3, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/klsecservices/Advisories/blob/master/KL-MOXA-2018-105.md Third Party Advisory
https://github.com/klsecservices/Advisories/blob/master/KL-MOXA-2018-105.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-11426, you might also want to check these: