Login Sign Up

CVE-2021-33823

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2021-33823 is a denial-of-service vulnerability in MOXA Mgate MB3180 gateways where attackers can exhaust web service resources by flooding TCP SYN packets. This affects industrial control systems using these specific protocol gateways, potentially disrupting operational technology networks.

💻 Affected Systems

Products:
  • MOXA Mgate MB3180
Versions: Version 2.1 Build 18113012
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the web management interface; Modbus protocol functionality may continue operating.

📦 What is this software?

Mgate Mb3180 Firmware by Moxa

View all CVEs affecting Mgate Mb3180 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of the web management interface, potentially disrupting industrial control operations that rely on these gateways for protocol conversion and communication.

🟠

Likely Case

Temporary web service unavailability requiring device reboot, causing operational disruption until service is restored.

🟢

If Mitigated

Minimal impact with proper network segmentation and rate limiting in place.

🌐 Internet-Facing: HIGH - Directly exposed devices are trivial to attack with simple SYN flood tools.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple SYN flood attack requiring no authentication; exploit tools widely available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in available references

Vendor Advisory: No official vendor advisory found in provided references

Restart Required: No

Instructions:

Check MOXA website for firmware updates; no specific patching instructions available in provided references.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Mgate devices in separate network segments with firewall rules limiting access to web interface

Rate Limiting

all

Implement network-level rate limiting for TCP SYN packets to the device's management IP

🧯 If You Can't Patch

  • Restrict network access to web management interface to trusted IP addresses only
  • Monitor for SYN flood patterns and implement automated blocking of suspicious source IPs

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or serial console; if running Version 2.1 Build 18113012, device is vulnerable

Check Version:

Check via web interface at System > Information or via serial console connection

Verify Fix Applied:

Verify firmware has been updated to a version later than 2.1 Build 18113012

📡 Detection & Monitoring

Log Indicators:

  • High volume of TCP SYN packets to port 80/443
  • Web service crash/restart events
  • Connection timeout errors

Network Indicators:

  • SYN flood patterns to device IP
  • Unusual high-volume traffic to management ports
  • TCP half-open connection buildup

SIEM Query:

source_ip=* AND dest_port IN (80,443) AND tcp_flags="SYN" AND count > threshold

📊 Metadata

CVE ID: CVE-2021-33823
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: June 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON