CVE-2022-40693 – CVE-2022-40693 is a cleartext transmission vuln... (How to Fix)

Q: What is the severity of CVE-2022-40693?

CVE-2022-40693 has a CVSS score of 7.5 (HIGH). CVE-2022-40693 is a cleartext transmission vulnerability in Moxa SDS-3008 industrial switches that allows attackers to intercept sensitive information like credentials by sniffing network traffic. This affects organizations using these switches in industrial control systems where web management traffic is transmitted without encryption. The vulnerability requires network access to the switch's management interface.

📋 TL;DR

CVE-2022-40693 is a cleartext transmission vulnerability in Moxa SDS-3008 industrial switches that allows attackers to intercept sensitive information like credentials by sniffing network traffic. This affects organizations using these switches in industrial control systems where web management traffic is transmitted without encryption. The vulnerability requires network access to the switch's management interface.

💻 Affected Systems

Products:

Moxa SDS-3008 Series Industrial Ethernet Switch

Versions: Version 2.1

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web management interface traffic; requires HTTP traffic to be transmitted without TLS/SSL encryption.

📦 What is this software?

Sds 3008 Firmware by Moxa

View all CVEs affecting Sds 3008 Firmware →

Sds 3008 T Firmware by Moxa

View all CVEs affecting Sds 3008 T Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative credentials, compromise the industrial network, disrupt operations, and potentially pivot to other critical systems.

🟠

Likely Case

Attackers capture login credentials or configuration data, enabling unauthorized access to switch management and network reconnaissance.

🟢

If Mitigated

With proper network segmentation and encryption, attackers cannot intercept sensitive traffic, limiting impact to isolated network segments.

🌐 Internet-Facing: HIGH if switches are directly internet-accessible, as attackers can easily sniff unencrypted traffic from anywhere.

🏢 Internal Only: MEDIUM if switches are on internal networks, requiring attacker presence on the same network segment to sniff traffic.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to sniff traffic; no authentication needed as it's a passive attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific patched versions

Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/sds-3008-series-multiple-web-vulnerabilities

Restart Required: Yes

Instructions:

1. Download firmware update from Moxa support site. 2. Backup current configuration. 3. Apply firmware update via web interface or console. 4. Reboot switch. 5. Verify encryption is enabled for web management.

🔧 Temporary Workarounds

Enable HTTPS/TLS for web management

all

Configure switch to use HTTPS instead of HTTP for web interface access

Configure via web interface: System > Network > HTTP/HTTPS > Enable HTTPS

Network segmentation

all

Isolate switch management traffic to dedicated VLANs with restricted access

Configure VLANs and ACLs on network devices to restrict access to switch management IP

🧯 If You Can't Patch

Implement network encryption (IPsec/VPN) for all management traffic to/from switches
Restrict physical and network access to switches, monitor for unauthorized sniffing activity

🔍 How to Verify

Check if Vulnerable:

Check if web interface uses HTTP instead of HTTPS by accessing switch IP with http:// and observing lack of encryption in browser

Check Version:

Login to web interface and check System > About > Firmware Version

Verify Fix Applied:

Verify HTTPS is enabled and functional by accessing https://switch-ip and confirming valid certificate

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts from unusual IPs
Configuration changes from unauthorized users

Network Indicators:

Unencrypted HTTP traffic to switch management IP on port 80
ARP spoofing or unusual sniffing activity on switch network

SIEM Query:

source_ip="switch_ip" AND protocol="HTTP" AND NOT protocol="HTTPS"

📊 Metadata

CVE ID: CVE-2022-40693

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-319

Published: February 7, 2023

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1616 Exploit,Third Party Advisory
https://www.moxa.com/en/support/product-support/security-advisory/sds-3008-series-multiple-web-vulnerabilities Vendor Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1616 Exploit,Third Party Advisory
https://www.moxa.com/en/support/product-support/security-advisory/sds-3008-series-multiple-web-vulnerabilities Vendor Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1616

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-40693, you might also want to check these: