CVE-2019-9095 – This vulnerability allows attackers to intercep... (How to Fix)

Q: What is the severity of CVE-2019-9095?

CVE-2019-9095 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to intercept weakly encrypted passwords on Moxa MGate industrial protocol gateways, potentially gaining administrative access. Affected devices include multiple MGate models with outdated firmware versions.

📋 TL;DR

This vulnerability allows attackers to intercept weakly encrypted passwords on Moxa MGate industrial protocol gateways, potentially gaining administrative access. Affected devices include multiple MGate models with outdated firmware versions.

💻 Affected Systems

Products:

Moxa MGate MB3170
Moxa MGate MB3270
Moxa MGate MB3280
Moxa MGate MB3480
Moxa MGate MB3660
Moxa MGate MB3180

Versions: MB3170/MB3270 before 4.1, MB3280/MB3480 before 3.1, MB3660 before 2.3, MB3180 before 2.1

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices with default configurations are vulnerable. The vulnerability involves weak encryption of administrative passwords during transmission.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full administrative compromise of industrial control system gateways, allowing attackers to manipulate industrial processes, disrupt operations, or pivot to other critical systems.

🟠

Likely Case

Unauthorized administrative access to gateways, enabling configuration changes, data interception, or denial of service against connected industrial equipment.

🟢

If Mitigated

Limited impact if strong network segmentation, monitoring, and access controls prevent exploitation attempts from reaching vulnerable devices.

🌐 Internet-Facing: HIGH - If devices are exposed to the internet, attackers can remotely intercept credentials and gain administrative access.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to gain administrative privileges on gateways.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network access to intercept traffic, but the weak encryption makes password recovery straightforward once intercepted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MB3170/MB3270: 4.1+, MB3280/MB3480: 3.1+, MB3660: 2.3+, MB3180: 2.1+

Vendor Advisory: https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities

Restart Required: Yes

Instructions:

1. Download appropriate firmware from Moxa support portal. 2. Backup current configuration. 3. Upload firmware via web interface or console. 4. Reboot device. 5. Restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate vulnerable devices in separate network segments with strict firewall rules to prevent unauthorized access.

Access Control Lists

all

Implement strict ACLs to limit which IP addresses can communicate with the management interfaces of affected devices.

🧯 If You Can't Patch

Implement network monitoring and intrusion detection for traffic to/from affected devices
Change administrative passwords regularly and use complex credentials

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > System Information) or console command 'show version'

Check Version:

show version

Verify Fix Applied:

Confirm firmware version meets minimum patched version requirements and test password transmission with network analyzer

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts
Successful logins from unusual IP addresses
Configuration changes from unexpected sources

Network Indicators:

Unusual traffic patterns to/from MGate devices
Password interception attempts on management ports

SIEM Query:

source_ip IN (mgate_device_ips) AND (event_type='authentication' OR event_type='configuration_change')

📊 Metadata

CVE ID: CVE-2019-9095

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-327

Published: March 11, 2020

Last Updated: November 21, 2024

🔗 References

https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-056-01 Third Party Advisory,US Government Resource
https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-056-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-9095, you might also want to check these: