CVE-2019-6563 – This vulnerability in Moxa IKS and EDS devices ... (How to Fix)

Q: What is the severity of CVE-2019-6563?

CVE-2019-6563 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Moxa IKS and EDS devices allows attackers to predict authentication cookies due to weak MD5 hashing, enabling them to capture administrator passwords and fully compromise affected devices. It affects industrial networking equipment used in critical infrastructure environments. Organizations using these devices without proper security controls are at significant risk.

📋 TL;DR

This vulnerability in Moxa IKS and EDS devices allows attackers to predict authentication cookies due to weak MD5 hashing, enabling them to capture administrator passwords and fully compromise affected devices. It affects industrial networking equipment used in critical infrastructure environments. Organizations using these devices without proper security controls are at significant risk.

💻 Affected Systems

Products:

Moxa IKS-G6824A
Moxa IKS-G6824A-2GSFP
Moxa EDS-405A
Moxa EDS-408A
Moxa EDS-510A

Versions: All versions prior to 4.5

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web management interface authentication mechanism.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to industrial control system compromise, data theft, operational disruption, and potential physical safety risks in critical infrastructure.

🟠

Likely Case

Unauthorized administrative access allowing configuration changes, data exfiltration, and use as pivot point for network attacks.

🟢

If Mitigated

Limited impact if devices are isolated, have strong network controls, and authentication is monitored.

🌐 Internet-Facing: HIGH - Directly exposed devices can be compromised remotely without authentication.

🏢 Internal Only: HIGH - Internal attackers or malware can exploit this to gain administrative privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires network access to web interface but no authentication. Cookie prediction is straightforward with known MD5 weaknesses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.5

Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/moxa-iks-and-eds-gigabit-switches-vulnerabilities

Restart Required: Yes

Instructions:

1. Download firmware version 4.5 or later from Moxa website. 2. Backup current configuration. 3. Upload new firmware via web interface. 4. Reboot device. 5. Restore configuration if needed.

🔧 Temporary Workarounds

Network Isolation

all

Restrict access to device management interfaces to trusted networks only.

Configure firewall rules to block external access to ports 80/443 on affected devices

Access Control Lists

all

Implement strict source IP restrictions for management access.

Configure device ACLs to permit only authorized management stations

🧯 If You Can't Patch

Isolate affected devices in separate VLAN with strict firewall rules
Implement network monitoring for unauthorized access attempts to management interfaces

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI. If version is below 4.5, device is vulnerable.

Check Version:

show version (CLI) or check System Information in web interface

Verify Fix Applied:

Confirm firmware version is 4.5 or higher and test authentication cookie generation.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login from unusual IP
Administrative configuration changes from unexpected sources

Network Indicators:

Unusual traffic patterns to/from device management ports
Authentication requests from unauthorized IP ranges

SIEM Query:

source_ip IN (device_management_ips) AND (event_type="authentication_success" AND NOT source_ip IN (authorized_admin_ips))

📊 Metadata

CVE ID: CVE-2019-6563

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-341

Published: March 5, 2019

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/107178 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-19-057-01 Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/107178 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-19-057-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-6563, you might also want to check these: