CVE-2019-6557 – CVE-2019-6557 is a critical buffer overflow vul... (How to Fix)

Q: What is the severity of CVE-2019-6557?

CVE-2019-6557 has a CVSS score of 9.8 (CRITICAL). CVE-2019-6557 is a critical buffer overflow vulnerability in Moxa IKS and EDS industrial networking devices that allows remote attackers to execute arbitrary code. This affects organizations using these industrial control system (ICS) devices, potentially compromising critical infrastructure. The vulnerability stems from improper bounds checking in network services.

📋 TL;DR

CVE-2019-6557 is a critical buffer overflow vulnerability in Moxa IKS and EDS industrial networking devices that allows remote attackers to execute arbitrary code. This affects organizations using these industrial control system (ICS) devices, potentially compromising critical infrastructure. The vulnerability stems from improper bounds checking in network services.

💻 Affected Systems

Products:

Moxa IKS-G6824A
Moxa IKS-G6824A-2GSFP
Moxa EDS-405A
Moxa EDS-408A
Moxa EDS-510A

Versions: Firmware versions prior to 4.5

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. These are industrial Ethernet switches used in critical infrastructure environments.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems leading to operational disruption, data theft, or physical damage to critical infrastructure.

🟠

Likely Case

Remote code execution allowing attackers to install malware, pivot to other systems, or disrupt industrial operations.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH - Devices exposed to internet are directly vulnerable to remote exploitation without authentication.

🏢 Internal Only: HIGH - Even internally, vulnerable devices can be exploited by attackers who gain network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to vulnerable services. Public exploit code exists making this easily weaponizable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 4.5 and later

Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/moxa-iks-and-eds-series-industrial-ethernet-switches-buffer-overflow-vulnerability

Restart Required: Yes

Instructions:

1. Download firmware version 4.5 or later from Moxa website. 2. Backup current configuration. 3. Upload new firmware via web interface or CLI. 4. Reboot device. 5. Restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate vulnerable devices in separate network segments with strict firewall rules.

Access Control Lists

all

Implement ACLs to restrict network access to vulnerable services (typically TCP ports 80, 443, 23).

access-list 100 deny tcp any any eq 80
access-list 100 deny tcp any any eq 443
access-list 100 deny tcp any any eq 23
access-list 100 permit ip any any

🧯 If You Can't Patch

Remove internet exposure immediately and place behind firewalls with strict ingress/egress rules.
Implement network monitoring and intrusion detection specifically for traffic to/from these devices.

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > System Information) or CLI command 'show version'.

Check Version:

show version

Verify Fix Applied:

Confirm firmware version is 4.5 or higher and verify no buffer overflow conditions in network services.

📡 Detection & Monitoring

Log Indicators:

Multiple connection attempts to device management ports
Unusual process execution on device
Configuration changes not initiated by administrators

Network Indicators:

Unusual traffic patterns to device management ports (80, 443, 23)
Buffer overflow patterns in network packets
Exploit-specific payloads in traffic

SIEM Query:

source_ip="*" AND (dest_port=80 OR dest_port=443 OR dest_port=23) AND dest_ip="[device_ip]" AND bytes>threshold

📊 Metadata

CVE ID: CVE-2019-6557

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: March 5, 2019

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/107178 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-19-057-01 Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/107178 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-19-057-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-6557, you might also want to check these: