CVE-2023-5961 – A Cross-Site Request Forgery (CSRF) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2023-5961?

CVE-2023-5961 has a CVSS score of 8.8 (HIGH). A Cross-Site Request Forgery (CSRF) vulnerability in ioLogik E1200 Series firmware allows attackers to trick authenticated users into performing unintended actions on the web server. This affects all users of ioLogik E1200 Series devices running firmware version 3.3 or earlier. The vulnerability treats forged requests as legitimate, potentially enabling attackers to perform operations on behalf of victims.

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in ioLogik E1200 Series firmware allows attackers to trick authenticated users into performing unintended actions on the web server. This affects all users of ioLogik E1200 Series devices running firmware version 3.3 or earlier. The vulnerability treats forged requests as legitimate, potentially enabling attackers to perform operations on behalf of victims.

💻 Affected Systems

Products:

ioLogik E1200 Series

Versions: v3.3 and prior

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with web interface enabled are vulnerable when accessed by authenticated users.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could perform administrative operations such as changing device configurations, disabling security settings, or disrupting industrial operations, potentially leading to operational downtime or safety issues.

🟠

Likely Case

Attackers could modify device settings, change user permissions, or disrupt normal operations by exploiting authenticated sessions of legitimate users.

🟢

If Mitigated

With proper CSRF protections and network segmentation, the impact is limited to unauthorized configuration changes that can be detected and reverted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to be authenticated and visit a malicious webpage while having an active session.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.4 or later

Vendor Advisory: https://www.moxa.com/en/support/product-support/security-advisory/mpsa-235250-iologik-e1200-series-web-server-vulnerability

Restart Required: Yes

Instructions:

1. Download firmware v3.4 or later from Moxa website. 2. Backup current configuration. 3. Upload new firmware via web interface. 4. Restart device. 5. Restore configuration if needed.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add anti-CSRF tokens to web forms and validate them server-side

Network Segmentation

all

Isolate ioLogik devices from untrusted networks and user workstations

🧯 If You Can't Patch

Implement strict network segmentation to limit access to ioLogik devices
Require users to log out after each session and avoid persistent authentication

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System > About. If version is 3.3 or earlier, device is vulnerable.

Check Version:

Check via web interface or SSH: show version

Verify Fix Applied:

After patching, verify firmware version shows 3.4 or later in System > About menu.

📡 Detection & Monitoring

Log Indicators:

Unexpected configuration changes
Multiple failed login attempts followed by configuration modifications
Requests without proper referrer headers

Network Indicators:

HTTP POST requests from unexpected sources to configuration endpoints
Cross-origin requests to ioLogik web interface

SIEM Query:

source="iologik" AND (event_type="config_change" OR url_path="/config/") AND NOT user_agent="browser_agent"

📊 Metadata

CVE ID: CVE-2023-5961

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: December 23, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5961, you might also want to check these: