CVE-2019-9099 – A buffer overflow vulnerability in the built-in... (How to Fix)

Q: What is the severity of CVE-2019-9099?

CVE-2019-9099 has a CVSS score of 9.8 (CRITICAL). A buffer overflow vulnerability in the built-in web server of affected Moxa MGate devices allows remote attackers to cause denial of service and potentially execute arbitrary code. This affects multiple Moxa MGate industrial protocol gateway models with outdated firmware. Attackers can exploit this without authentication over the network.

📋 TL;DR

A buffer overflow vulnerability in the built-in web server of affected Moxa MGate devices allows remote attackers to cause denial of service and potentially execute arbitrary code. This affects multiple Moxa MGate industrial protocol gateway models with outdated firmware. Attackers can exploit this without authentication over the network.

💻 Affected Systems

Products:

Moxa MGate MB3170
Moxa MGate MB3270
Moxa MGate MB3280
Moxa MGate MB3480
Moxa MGate MB3660
Moxa MGate MB3180

Versions: MB3170/MB3270 before 4.1, MB3280/MB3480 before 3.1, MB3660 before 2.3, MB3180 before 2.1

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices with web server enabled are vulnerable by default. These are industrial protocol gateways used in critical infrastructure.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, lateral movement within industrial networks, and disruption of critical industrial processes.

🟠

Likely Case

Denial of service causing device unavailability and disruption of industrial communications, with potential for limited code execution.

🟢

If Mitigated

No impact if devices are patched or properly segmented from untrusted networks.

🌐 Internet-Facing: HIGH - Directly exploitable over network without authentication, CVSS 9.8 indicates critical severity.

🏢 Internal Only: HIGH - Even internally, this is easily exploitable and affects critical industrial devices.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Buffer overflow in web server suggests straightforward exploitation. While no public PoC is documented, similar vulnerabilities in industrial devices are often weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: MB3170/MB3270: 4.1+, MB3280/MB3480: 3.1+, MB3660: 2.3+, MB3180: 2.1+

Vendor Advisory: https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities

Restart Required: Yes

Instructions:

1. Download appropriate firmware from Moxa support portal. 2. Backup device configuration. 3. Upload firmware via web interface or console. 4. Reboot device. 5. Verify firmware version.

🔧 Temporary Workarounds

Disable web server

all

Disable the built-in web server if not required for operations

Network segmentation

all

Isolate affected devices in separate VLAN with strict firewall rules

🧯 If You Can't Patch

Implement strict network access controls to limit access to device management interfaces
Monitor for unusual traffic patterns or connection attempts to device web ports

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at http://device-ip/ or serial console, compare against patched versions.

Check Version:

Via web: Navigate to device IP. Via CLI: Use serial connection and check system info.

Verify Fix Applied:

Confirm firmware version matches or exceeds patched versions listed in fix_official.patch_version.

📡 Detection & Monitoring

Log Indicators:

Web server crash logs
Unusual HTTP requests with long payloads
Multiple connection attempts to web port

Network Indicators:

HTTP requests with unusually long headers or parameters to device port 80/443
Traffic patterns suggesting buffer overflow attempts

SIEM Query:

source_ip="*" AND dest_port=80 AND (http_request_length>1000 OR http_user_agent contains "overflow")

📊 Metadata

CVE ID: CVE-2019-9099

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: March 11, 2020

Last Updated: November 21, 2024

🔗 References

https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-056-01 Third Party Advisory,US Government Resource
https://www.moxa.com/en/support/support/security-advisory/mb3710-3180-3270-3280-3480-3660-vulnerabilities Vendor Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-056-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-9099, you might also want to check these: