Vulnerability-Lookup

CNVD-2020-53805

Vulnerability from cnvd - Published: 2020-09-24

Title

Moxa MGate 5105-MB-EIP操作系统命令注入漏洞

Description

MGate 5105-MB-EIP是一个支持MQTT或第三方云服务（例如：Azure 和 Alibaba Cloud）的工业以太网网关，可为IIoT应用建构Modbus RTU/ASCII/TCP和EtherNet/IP网络通信。使用4.1版本固件的Moxa MGate 5105-MB-EIP中的MainPing.asp文件的‘DestIP’参数存在操作系统命令注入漏洞，该漏洞源于在使用用户提交的字符串来执行系统调用之前，程序未能进行正确的验证。远程攻击者可利用该漏洞执行任意代码。

Severity

低

Patch Name

Moxa MGate 5105-MB-EIP操作系统命令注入漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.moxa.com/en/support/support/security-advisory/mgate-5105-mb-eip-series-protocol-gateways-vulnerability

Reference

https://www.moxa.com/en/support/support/security-advisory/mgate-5105-mb-eip-series-protocol-gateways-vulnerability

Impacted products

Name
Moxa mgate_5105-mb-eip_firmware <4.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-8858",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-8858"
    }
  },
  "description": "MGate 5105-MB-EIP\u662f\u4e00\u4e2a\u652f\u6301MQTT\u6216\u7b2c\u4e09\u65b9\u4e91\u670d\u52a1\uff08\u4f8b\u5982\uff1aAzure \u548c Alibaba Cloud\uff09\u7684\u5de5\u4e1a\u4ee5\u592a\u7f51\u7f51\u5173\uff0c\u53ef\u4e3aIIoT\u5e94\u7528\u5efa\u6784Modbus RTU/ASCII/TCP\u548cEtherNet/IP\u7f51\u7edc\u901a\u4fe1\u3002\n\n\u4f7f\u75284.1\u7248\u672c\u56fa\u4ef6\u7684Moxa MGate 5105-MB-EIP\u4e2d\u7684MainPing.asp\u6587\u4ef6\u7684\u2018DestIP\u2019\u53c2\u6570\u5b58\u5728\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u4f7f\u7528\u7528\u6237\u63d0\u4ea4\u7684\u5b57\u7b26\u4e32\u6765\u6267\u884c\u7cfb\u7edf\u8c03\u7528\u4e4b\u524d\uff0c\u7a0b\u5e8f\u672a\u80fd\u8fdb\u884c\u6b63\u786e\u7684\u9a8c\u8bc1\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.moxa.com/en/support/support/security-advisory/mgate-5105-mb-eip-series-protocol-gateways-vulnerability",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-53805",
  "openTime": "2020-09-24",
  "patchDescription": "MGate 5105-MB-EIP\u662f\u4e00\u4e2a\u652f\u6301MQTT\u6216\u7b2c\u4e09\u65b9\u4e91\u670d\u52a1\uff08\u4f8b\u5982\uff1aAzure \u548c Alibaba Cloud\uff09\u7684\u5de5\u4e1a\u4ee5\u592a\u7f51\u7f51\u5173\uff0c\u53ef\u4e3aIIoT\u5e94\u7528\u5efa\u6784Modbus RTU/ASCII/TCP\u548cEtherNet/IP\u7f51\u7edc\u901a\u4fe1\u3002\r\n\r\n\u4f7f\u75284.1\u7248\u672c\u56fa\u4ef6\u7684Moxa MGate 5105-MB-EIP\u4e2d\u7684MainPing.asp\u6587\u4ef6\u7684\u2018DestIP\u2019\u53c2\u6570\u5b58\u5728\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u4f7f\u7528\u7528\u6237\u63d0\u4ea4\u7684\u5b57\u7b26\u4e32\u6765\u6267\u884c\u7cfb\u7edf\u8c03\u7528\u4e4b\u524d\uff0c\u7a0b\u5e8f\u672a\u80fd\u8fdb\u884c\u6b63\u786e\u7684\u9a8c\u8bc1\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Moxa MGate 5105-MB-EIP\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Moxa mgate_5105-mb-eip_firmware \u003c4.1"
  },
  "referenceLink": "https://www.moxa.com/en/support/support/security-advisory/mgate-5105-mb-eip-series-protocol-gateways-vulnerability",
  "serverity": "\u4f4e",
  "submitTime": "2020-03-09",
  "title": "Moxa MGate 5105-MB-EIP\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2020-8858 (GCVE-0-2020-8858)

Vulnerability from cvelistv5 – Published: 2020-02-13 22:20 – Updated: 2024-08-04 10:12

Summary

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Moxa MGate 5105-MB-EIP firmware version 4.1. Authentication is required to exploit this vulnerability. The specific flaw exists within the DestIP parameter within MainPing.asp. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9552.

Severity

8.8 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

zdi

References

2 references

URL	Tags
https://www.zerodayinitiative.com/advisories/ZDI-…	x_refsource_MISC
https://www.moxa.com/en/support/support/security-…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Moxa	MGate 5105-MB-EIP	Affected: firmware version 4.1

Credits

Dove Chiu, Philippe Lin, Charles Perine, Marco Balduzzi, Ryan Flores, Rainer Vosseler

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:12:10.972Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-214/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.moxa.com/en/support/support/security-advisory/mgate-5105-mb-eip-series-protocol-gateways-vulnerability"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "MGate 5105-MB-EIP",
          "vendor": "Moxa",
          "versions": [
            {
              "status": "affected",
              "version": "firmware version 4.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Dove Chiu, Philippe Lin, Charles Perine, Marco Balduzzi, Ryan Flores, Rainer Vosseler"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Moxa MGate 5105-MB-EIP firmware version 4.1. Authentication is required to exploit this vulnerability. The specific flaw exists within the DestIP parameter within MainPing.asp. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9552."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-13T22:20:44.000Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-214/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.moxa.com/en/support/support/security-advisory/mgate-5105-mb-eip-series-protocol-gateways-vulnerability"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "zdi-disclosures@trendmicro.com",
          "ID": "CVE-2020-8858",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "MGate 5105-MB-EIP",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "firmware version 4.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Moxa"
              }
            ]
          }
        },
        "credit": "Dove Chiu, Philippe Lin, Charles Perine, Marco Balduzzi, Ryan Flores, Rainer Vosseler",
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Moxa MGate 5105-MB-EIP firmware version 4.1. Authentication is required to exploit this vulnerability. The specific flaw exists within the DestIP parameter within MainPing.asp. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-9552."
            }
          ]
        },
        "impact": {
          "cvss": {
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.zerodayinitiative.com/advisories/ZDI-20-214/",
              "refsource": "MISC",
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-20-214/"
            },
            {
              "name": "https://www.moxa.com/en/support/support/security-advisory/mgate-5105-mb-eip-series-protocol-gateways-vulnerability",
              "refsource": "MISC",
              "url": "https://www.moxa.com/en/support/support/security-advisory/mgate-5105-mb-eip-series-protocol-gateways-vulnerability"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2020-8858",
    "datePublished": "2020-02-13T22:20:44.000Z",
    "dateReserved": "2020-02-11T00:00:00.000Z",
    "dateUpdated": "2024-08-04T10:12:10.972Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2020-53805

CVE-2020-8858 (GCVE-0-2020-8858)

Tags

Sightings

Nomenclature