VAR-202109-1171
Vulnerability from variot - Updated: 2025-01-30 19:35Certain MOXA devices allow reflected XSS via the Config Import menu. This affects WAC-2004 1.7, WAC-1001 2.1, WAC-1001-T 2.1, OnCell G3470A-LTE-EU 1.7, OnCell G3470A-LTE-EU-T 1.7, TAP-323-EU-CT-T 1.3, TAP-323-US-CT-T 1.3, TAP-323-JP-CT-T 1.3, WDR-3124A-EU 2.3, WDR-3124A-EU-T 2.3, WDR-3124A-US 2.3, and WDR-3124A-US-T 2.3. plural MOXA A cross-site scripting vulnerability exists in the device.Information may be obtained and information may be tampered with. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Many Moxa devices suffer from command injection, cross site scripting, and outdated software vulnerabilities. SEC Consult Vulnerability Lab Security Advisory < 20210901-0 > ======================================================================= title: Multiple vulnerabilities product: see "Vulnerable / tested versions" vulnerable version: see "Vulnerable / tested versions" fixed version: see "Solution" CVE number: CVE-2021-39278, CVE-2021-39279 impact: High homepage: https://www.moxa.com/ found: 2020-08-31 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
"Together, We Create Change
Moxa is committed to making a positive impact around the world. We put our all behind this commitment--from our employees, to our products and supply chain.
In our local communities, we nurture and support the spirit of volunteering. We encourage our employees to contribute to community development, with an emphasis on ecology, education, and health.
In our products, we invest in social awareness programs and environment-friendly policies at every stage of the product lifecycle. We make sure our manufacturing meets the highest standards with regards to quality, ethics, and sustainability."
Source: https://www.moxa.com/en/about-us/corporate-responsibility
Business recommendation:
SEC Consult recommends to immediately apply the available patches from the vendor. A thorough security review should be performed by security professionals to identify further potential security issues.
Vulnerability overview/description:
1) Authenticated Command Injection (CVE-2021-39279) An authenticated command injection vulnerability can be triggered by issuing a GET request to the "/forms/web_importTFTP" CGI program which is available on the web interface. An attacker can abuse this vulnerability to compromise the operating system of the device. This issue was found by emulating the firmware of the device.
3) Known GNU glibc Vulnerabilities (CVE-2015-0235) The used GNU glibc in version 2.9 is outdated and contains multiple known vulnerabilities. One of the discovered vulnerabilities (CVE-2015-0235, gethostbyname "GHOST" buffer overflow) was verified by using the MEDUSA scalable firmware runtime.
4) Multiple Outdated Software Components Multiple outdated software components containing vulnerabilities were found by the IoT Inspector.
The vulnerabilities 1), 2) and 3) were manually verified on an emulated device by using the MEDUSA scalable firmware runtime.
Proof of concept:
1) Authenticated Command Injection (CVE-2021-39279) The vulnerability can be triggered by navigating in the web interface to the tab:
"Main Menu"->"Maintenance"->"Config Import Export"
The "TFTP Import" menu is prone to command injection via all parameters. To exploit the vulnerability, an IP address, a configuration path and a filename must be set. If the filename is used to trigger the exploit, the payload in the interceptor proxy would be:
http://192.168.1.1/forms/web_importTFTP?servIP=192.168.1.1&configPath=/&fileName=name|ping localhost -c 100
2) Reflected Cross-Site Scripting via Manipulated Config-File (CVE-2021-39278) The vulnerability can be triggered by navigating in the web interface to the tab:
"Main Menu"->"Maintenance"->"Config Import Export"
The "Config Import" menu is prone to reflected cross-site scripting via the upload of config files. Example of malicious config file:
[board] deviceName="WAC-2004_0000alert(document.cookie)" deviceLocation="" [..]
Uploading such a crafted file triggers cross-site scripting as the erroneous value is displayed without filtering characters.
3) Known GNU glibc Vulnerabilities (CVE-2015-0235) GNU glibc version 2.9 contains multiple CVEs like: CVE-2016-1234, CVE-2015-7547, CVE-2013-7423, CVE-2013-1914, and more.
The gethostbyname buffer overflow vulnerability (GHOST) was checked with the help of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled and executed on the emulated device to test the system.
4) Multiple Outdated Software Components The IoT Inspector recognized multiple outdated software components with known vulnerabilities:
BusyBox 1.18.5 06/2011 Dropbear SSH 2011.54 11/2011 GNU glibc 2.9 02/2009 Linux Kernel 2.6.27 10/2008 OpenSSL 0.9.7g 04/2005 Only found in the program "iw_director" OpenSSL 1.0.0 03/2010
Vulnerable / tested versions:
The following firmware versions for various devices have been identified to be vulnerable: * WAC-2004 / 1.7 * WAC-1001 / 2.1 * WAC-1001-T / 2.1 * OnCell G3470A-LTE-EU / 1.7 * OnCell G3470A-LTE-EU-T / 1.7 * TAP-323-EU-CT-T / 1.3 * TAP-323-US-CT-T / 1.3 * TAP-323-JP-CT-T / 1.3 * WDR-3124A-EU / 2.3 * WDR-3124A-EU-T / 2.3 * WDR-3124A-US / 2.3 * WDR-3124A-US-T / 2.3
Vendor contact timeline:
2020-10-09: Contacting vendor through moxa.csrt@moxa.com. 2020-10-12: Contact sends PGP key for encrypted communication and asks for the detailed advisory. Sent encrypted advisory to vendor. 2020-11-06: Status update from vendor regarding technical analysis. Vendor requested more time for fixing the vulnerabilities as more products are affected. 2020-11-09: Granted more time for fixing to vendor. 2020-11-10: Vendor asked for next steps regarding the advisory publication. 2020-11-11: Asked vendor for an estimation when a public disclosure is possible. 2020-11-16: Vendor responded that the product team can give a rough feedback. 2020-11-25: Asked for a status update. 2020-11-25: Vendor responded that the investigation is not done yet. 2020-12-14: Vendor provided a list of potential affected devices and stated that full investigation may take until January 2021 due to the list of CVEs that were provided with the appended IoT Inspector report. The patches may be available until June 2021. 2020-12-15: Shifted next status update round with vendor on May 2021. 2020-12-23: Vendor provided full list of affected devices. 2021-02-05: Vendor sieved out the found issues from 4) manually and provided a full list of confirmed vulnerabilities. WAC-2004 phased-out in 2019. 2021-02-21: Confirmed receive of vulnerabilities, next status update in May 2021. 2021-06-10: Asking for an update. 2021-06-15: Vendor stated, that the update will be provided in the next days. 2021-06-21: Vendor will give an update in the next week as Covid gets worse in Taiwan. 2021-06-23: Vendor stated, that patches are under development. Vendor needs more time to finish the patches. 2021-06-24: Set release date to 2021-09-01. 2021-07-02: Vendor provides status updates. 2021-08-16: Vendor provides status updates. 2021-08-17: Vendor asks for CVE IDs and stated, that WDR-3124A has phased-out. 2021-08-20: Sent assigned CVE-IDs to vendor. Asked for fixed version numbers. 2021-08-31: Vendor provides fixed firmware version numbers and the advisory links. 2021-09-01: Coordinated release of security advisory.
Solution:
According to the vendor the following patches must be applied to fix issues: * WAC-1001 / 2.1.5 * WAC-1001-T / 2.1.5 * OnCell G3470A-LTE-EU / 1.7.4 * OnCell G3470A-LTE-EU-T / 1.7.4 * TAP-323-EU-CT-T / 1.8.1 * TAP-323-US-CT-T / 1.8.1 * TAP-323-JP-CT-T / 1.8.1
The Moxa Technical Support must be contacted for requesting the security patches.
The corresponding security advisories for the affected devices are available on the vendor's website: TAP-323/WAC-1001/WAC-2004 https://www.moxa.com/en/support/product-support/security-advisory/tap-323-wac-1001-2004-wireless-ap-bridge-client-vulnerabilities OnCell G3470A-LTE/WDR-3124A https://www.moxa.com/en/support/product-support/security-advisory/oncell-g3470a-wdr-3124a-cellular-gateways-router-vulnerabilities
The following device models are EOL and should be replaced: * WAC-2004 * WDR-3124A-EU * WDR-3124A-EU-T * WDR-3124A-US * WDR-3124A-US-T
Workaround:
None.
Advisory URL:
https://sec-consult.com/vulnerability-lab/
SEC Consult Vulnerability Lab
SEC Consult, an Atos company
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult
EOF Thomas Weber / @2021
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202109-1171",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "oncell g3470a-lte-eu-t",
"scope": "eq",
"trust": 1.0,
"vendor": "moxa",
"version": "1.7"
},
{
"model": "wdr-3124a-us-t",
"scope": "eq",
"trust": 1.0,
"vendor": "moxa",
"version": "2.3"
},
{
"model": "wac-1001-t",
"scope": "eq",
"trust": 1.0,
"vendor": "moxa",
"version": "2.1"
},
{
"model": "wac-2004",
"scope": "eq",
"trust": 1.0,
"vendor": "moxa",
"version": "1.7"
},
{
"model": "tap-323-eu-ct-t",
"scope": "eq",
"trust": 1.0,
"vendor": "moxa",
"version": "1.3"
},
{
"model": "oncell g3470a-lte-eu",
"scope": "eq",
"trust": 1.0,
"vendor": "moxa",
"version": "1.7"
},
{
"model": "tap-323-us-ct-t",
"scope": "eq",
"trust": 1.0,
"vendor": "moxa",
"version": "1.3"
},
{
"model": "tap-323-jp-ct-t",
"scope": "eq",
"trust": 1.0,
"vendor": "moxa",
"version": "1.3"
},
{
"model": "wdr-3124a-eu",
"scope": "eq",
"trust": 1.0,
"vendor": "moxa",
"version": "2.3"
},
{
"model": "wdr-3124a-us",
"scope": "eq",
"trust": 1.0,
"vendor": "moxa",
"version": "2.3"
},
{
"model": "wdr-3124a-eu-t",
"scope": "eq",
"trust": 1.0,
"vendor": "moxa",
"version": "2.3"
},
{
"model": "wac-1001",
"scope": "eq",
"trust": 1.0,
"vendor": "moxa",
"version": "2.1"
},
{
"model": "wdr-3124a-eu-t",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "wac-2004",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "wac-1001-t",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "tap-323-eu-ct-t",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "oncellg3470a-lte-eu",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "wdr-3124a-eu",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "tap-323-us-ct-t",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "wac-1001",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "tap-323-jp-ct-t",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "oncellg3470a-lte-eu-t",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-011303"
},
{
"db": "NVD",
"id": "CVE-2021-39278"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "T. Weber",
"sources": [
{
"db": "PACKETSTORM",
"id": "164014"
}
],
"trust": 0.1
},
"cve": "CVE-2021-39278",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "CVE-2021-39278",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"id": "CVE-2021-39278",
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2021-39278",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2021-39278",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2021-39278",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-202109-068",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-011303"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-068"
},
{
"db": "NVD",
"id": "CVE-2021-39278"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Certain MOXA devices allow reflected XSS via the Config Import menu. This affects WAC-2004 1.7, WAC-1001 2.1, WAC-1001-T 2.1, OnCell G3470A-LTE-EU 1.7, OnCell G3470A-LTE-EU-T 1.7, TAP-323-EU-CT-T 1.3, TAP-323-US-CT-T 1.3, TAP-323-JP-CT-T 1.3, WDR-3124A-EU 2.3, WDR-3124A-EU-T 2.3, WDR-3124A-US 2.3, and WDR-3124A-US-T 2.3. plural MOXA A cross-site scripting vulnerability exists in the device.Information may be obtained and information may be tampered with. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Many Moxa devices suffer from command injection, cross site scripting, and outdated software vulnerabilities. SEC Consult Vulnerability Lab Security Advisory \u003c 20210901-0 \u003e\n=======================================================================\n title: Multiple vulnerabilities\n product: see \"Vulnerable / tested versions\"\n vulnerable version: see \"Vulnerable / tested versions\"\n fixed version: see \"Solution\"\n CVE number: CVE-2021-39278, CVE-2021-39279\n impact: High\n homepage: https://www.moxa.com/\n found: 2020-08-31\n by: T. Weber (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult, an Atos company\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"Together, We Create Change\n\nMoxa is committed to making a positive impact around the world. We put our all\nbehind this commitment--from our employees, to our products and supply chain. \n\nIn our local communities, we nurture and support the spirit of volunteering. \nWe encourage our employees to contribute to community development, with an\nemphasis on ecology, education, and health. \n\nIn our products, we invest in social awareness programs and\nenvironment-friendly policies at every stage of the product lifecycle. We make\nsure our manufacturing meets the highest standards with regards to quality,\nethics, and sustainability.\"\n\nSource: https://www.moxa.com/en/about-us/corporate-responsibility\n\nBusiness recommendation:\n------------------------\nSEC Consult recommends to immediately apply the available patches\nfrom the vendor. A thorough security review should be performed by\nsecurity professionals to identify further potential security issues. \n\n\nVulnerability overview/description:\n-----------------------------------\n1) Authenticated Command Injection (CVE-2021-39279)\nAn authenticated command injection vulnerability can be triggered by issuing a\nGET request to the \"/forms/web_importTFTP\" CGI program which is available on\nthe web interface. An attacker can abuse this vulnerability to compromise the\noperating system of the device. This issue was found by emulating the firmware\nof the device. \n\n3) Known GNU glibc Vulnerabilities (CVE-2015-0235)\nThe used GNU glibc in version 2.9 is outdated and contains multiple known\nvulnerabilities. One of the discovered vulnerabilities (CVE-2015-0235,\ngethostbyname \"GHOST\" buffer overflow) was verified by using the MEDUSA\nscalable firmware runtime. \n\n4) Multiple Outdated Software Components\nMultiple outdated software components containing vulnerabilities were found by\nthe IoT Inspector. \n\nThe vulnerabilities 1), 2) and 3) were manually verified on an emulated device\nby using the MEDUSA scalable firmware runtime. \n\nProof of concept:\n-----------------\n1) Authenticated Command Injection (CVE-2021-39279)\nThe vulnerability can be triggered by navigating in the web interface to the\ntab:\n\n\"Main Menu\"-\u003e\"Maintenance\"-\u003e\"Config Import Export\"\n\nThe \"TFTP Import\" menu is prone to command injection via all parameters. To\nexploit the vulnerability, an IP address, a configuration path and a filename\nmust be set. \nIf the filename is used to trigger the exploit, the payload in the interceptor\nproxy would be:\n\nhttp://192.168.1.1/forms/web_importTFTP?servIP=192.168.1.1\u0026configPath=/\u0026fileName=name|`ping localhost -c 100`\n\n\n2) Reflected Cross-Site Scripting via Manipulated Config-File (CVE-2021-39278)\nThe vulnerability can be triggered by navigating in the web interface to the\ntab:\n\n\"Main Menu\"-\u003e\"Maintenance\"-\u003e\"Config Import Export\"\n\nThe \"Config Import\" menu is prone to reflected cross-site scripting via the\nupload of config files. Example of malicious config file:\n-------------------------------------------------------------------------------\n[board]\ndeviceName=\"WAC-2004_0000\u003c/span\u003e\u003cscript\u003ealert(document.cookie)\u003c/script\u003e\"\ndeviceLocation=\"\"\n[..]\n-------------------------------------------------------------------------------\nUploading such a crafted file triggers cross-site scripting as the erroneous\nvalue is displayed without filtering characters. \n\n\n3) Known GNU glibc Vulnerabilities (CVE-2015-0235)\nGNU glibc version 2.9 contains multiple CVEs like:\nCVE-2016-1234, CVE-2015-7547, CVE-2013-7423, CVE-2013-1914, and more. \n\nThe gethostbyname buffer overflow vulnerability (GHOST) was checked with the\nhelp of the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was\ncompiled and executed on the emulated device to test the system. \n\n\n4) Multiple Outdated Software Components\nThe IoT Inspector recognized multiple outdated software components with known\nvulnerabilities:\n\nBusyBox 1.18.5 06/2011\nDropbear SSH 2011.54 11/2011\nGNU glibc 2.9 02/2009\nLinux Kernel 2.6.27 10/2008\nOpenSSL 0.9.7g 04/2005\nOnly found in the program \"iw_director\"\nOpenSSL 1.0.0 03/2010\n\n\nVulnerable / tested versions:\n-----------------------------\nThe following firmware versions for various devices have been identified\nto be vulnerable:\n* WAC-2004 / 1.7\n* WAC-1001 / 2.1\n* WAC-1001-T / 2.1\n* OnCell G3470A-LTE-EU / 1.7\n* OnCell G3470A-LTE-EU-T / 1.7\n* TAP-323-EU-CT-T / 1.3\n* TAP-323-US-CT-T / 1.3\n* TAP-323-JP-CT-T / 1.3\n* WDR-3124A-EU / 2.3\n* WDR-3124A-EU-T / 2.3\n* WDR-3124A-US / 2.3\n* WDR-3124A-US-T / 2.3\n\n\nVendor contact timeline:\n------------------------\n2020-10-09: Contacting vendor through moxa.csrt@moxa.com. \n2020-10-12: Contact sends PGP key for encrypted communication and asks for the\n detailed advisory. Sent encrypted advisory to vendor. \n2020-11-06: Status update from vendor regarding technical analysis. Vendor\n requested more time for fixing the vulnerabilities as more products\n are affected. \n2020-11-09: Granted more time for fixing to vendor. \n2020-11-10: Vendor asked for next steps regarding the advisory publication. \n2020-11-11: Asked vendor for an estimation when a public disclosure is possible. \n2020-11-16: Vendor responded that the product team can give a rough feedback. \n2020-11-25: Asked for a status update. \n2020-11-25: Vendor responded that the investigation is not done yet. \n2020-12-14: Vendor provided a list of potential affected devices and stated\n that full investigation may take until January 2021 due to the list\n of CVEs that were provided with the appended IoT Inspector report. \n The patches may be available until June 2021. \n2020-12-15: Shifted next status update round with vendor on May 2021. \n2020-12-23: Vendor provided full list of affected devices. \n2021-02-05: Vendor sieved out the found issues from 4) manually and provided a\n full list of confirmed vulnerabilities. WAC-2004 phased-out in\n 2019. \n2021-02-21: Confirmed receive of vulnerabilities, next status update in May\n 2021. \n2021-06-10: Asking for an update. \n2021-06-15: Vendor stated, that the update will be provided in the next days. \n2021-06-21: Vendor will give an update in the next week as Covid gets worse in\n Taiwan. \n2021-06-23: Vendor stated, that patches are under development. Vendor needs more\n time to finish the patches. \n2021-06-24: Set release date to 2021-09-01. \n2021-07-02: Vendor provides status updates. \n2021-08-16: Vendor provides status updates. \n2021-08-17: Vendor asks for CVE IDs and stated, that WDR-3124A has phased-out. \n2021-08-20: Sent assigned CVE-IDs to vendor. Asked for fixed version numbers. \n2021-08-31: Vendor provides fixed firmware version numbers and the advisory\n links. \n2021-09-01: Coordinated release of security advisory. \n\nSolution:\n---------\nAccording to the vendor the following patches must be applied to fix issues:\n* WAC-1001 / 2.1.5\n* WAC-1001-T / 2.1.5\n* OnCell G3470A-LTE-EU / 1.7.4\n* OnCell G3470A-LTE-EU-T / 1.7.4\n* TAP-323-EU-CT-T / 1.8.1\n* TAP-323-US-CT-T / 1.8.1\n* TAP-323-JP-CT-T / 1.8.1\n\nThe Moxa Technical Support must be contacted for requesting the security\npatches. \n\nThe corresponding security advisories for the affected devices are available on\nthe vendor\u0027s website:\nTAP-323/WAC-1001/WAC-2004\nhttps://www.moxa.com/en/support/product-support/security-advisory/tap-323-wac-1001-2004-wireless-ap-bridge-client-vulnerabilities\nOnCell G3470A-LTE/WDR-3124A\nhttps://www.moxa.com/en/support/product-support/security-advisory/oncell-g3470a-wdr-3124a-cellular-gateways-router-vulnerabilities\n\nThe following device models are EOL and should be replaced:\n* WAC-2004\n* WDR-3124A-EU\n* WDR-3124A-EU-T\n* WDR-3124A-US\n* WDR-3124A-US-T\n\n\nWorkaround:\n-----------\nNone. \n\n\nAdvisory URL:\n-------------\nhttps://sec-consult.com/vulnerability-lab/\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSEC Consult Vulnerability Lab\n\nSEC Consult, an Atos company\nEurope | Asia | North America\n\nAbout SEC Consult Vulnerability Lab\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an\nAtos company. It ensures the continued knowledge gain of SEC Consult in the\nfield of network and application security to stay ahead of the attacker. The\nSEC Consult Vulnerability Lab supports high-quality penetration testing and\nthe evaluation of new offensive and defensive technologies for our customers. \nHence our customers obtain the most current information about vulnerabilities\nand valid recommendation about the risk profile of new technologies. \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nInterested to work with the experts of SEC Consult?\nSend us your application https://sec-consult.com/career/\n\nInterested in improving your cyber security with the experts of SEC Consult?\nContact our local offices https://sec-consult.com/contact/\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMail: research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nEOF Thomas Weber / @2021\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-39278"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-011303"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "VULMON",
"id": "CVE-2021-39278"
},
{
"db": "PACKETSTORM",
"id": "164014"
}
],
"trust": 2.34
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-39278",
"trust": 3.5
},
{
"db": "PACKETSTORM",
"id": "164014",
"trust": 2.6
},
{
"db": "JVNDB",
"id": "JVNDB-2021-011303",
"trust": 0.8
},
{
"db": "CS-HELP",
"id": "SB2021041363",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021090703",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202109-068",
"trust": 0.6
},
{
"db": "OTHER",
"id": "NONE",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2021-39278",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "VULMON",
"id": "CVE-2021-39278"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-011303"
},
{
"db": "PACKETSTORM",
"id": "164014"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-068"
},
{
"db": "NVD",
"id": "CVE-2021-39278"
}
]
},
"id": "VAR-202109-1171",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "OTHER",
"id": null
}
],
"trust": 0.01
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"network device"
],
"sub_category": "access point",
"trust": 0.1
}
],
"sources": [
{
"db": "OTHER",
"id": null
}
]
},
"last_update_date": "2025-01-30T19:35:23.561000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top\u00a0Page",
"trust": 0.8,
"url": "https://www.moxa.com/en/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-011303"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
},
{
"problemtype": "Cross-site scripting (CWE-79) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-011303"
},
{
"db": "NVD",
"id": "CVE-2021-39278"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/164014"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-39278"
},
{
"trust": 0.7,
"url": "https://packetstormsecurity.com/files/164014/moxa-command-injection-cross-site-scripting-vulnerable-software.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021041363"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021090703"
},
{
"trust": 0.1,
"url": "https://ieeexplore.ieee.org/abstract/document/10769424"
},
{
"trust": 0.1,
"url": "http://seclists.org/fulldisclosure/2021/sep/0"
},
{
"trust": 0.1,
"url": "https://www.moxa.com/en/support/product-support/security-advisory/oncell-g3470a-wdr-3124a-cellular-gateways-router-vulnerabilities"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-0235"
},
{
"trust": 0.1,
"url": "https://www.moxa.com/en/about-us/corporate-responsibility"
},
{
"trust": 0.1,
"url": "https://seclists.org/oss-sec/2015/q1/274."
},
{
"trust": 0.1,
"url": "https://sec-consult.com/contact/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-7423"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com"
},
{
"trust": 0.1,
"url": "https://sec-consult.com/vulnerability-lab/"
},
{
"trust": 0.1,
"url": "https://twitter.com/sec_consult"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-1234"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2015-7547"
},
{
"trust": 0.1,
"url": "https://www.moxa.com/en/support/product-support/security-advisory/tap-323-wac-1001-2004-wireless-ap-bridge-client-vulnerabilities"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-39279"
},
{
"trust": 0.1,
"url": "http://blog.sec-consult.com"
},
{
"trust": 0.1,
"url": "https://www.moxa.com/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1914"
},
{
"trust": 0.1,
"url": "https://sec-consult.com/career/"
},
{
"trust": 0.1,
"url": "http://192.168.1.1/forms/web_importtftp?servip=192.168.1.1\u0026configpath=/\u0026filename=name|`ping"
}
],
"sources": [
{
"db": "OTHER",
"id": null
},
{
"db": "VULMON",
"id": "CVE-2021-39278"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-011303"
},
{
"db": "PACKETSTORM",
"id": "164014"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-068"
},
{
"db": "NVD",
"id": "CVE-2021-39278"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "OTHER",
"id": null
},
{
"db": "VULMON",
"id": "CVE-2021-39278"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-011303"
},
{
"db": "PACKETSTORM",
"id": "164014"
},
{
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-068"
},
{
"db": "NVD",
"id": "CVE-2021-39278"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-07-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-011303"
},
{
"date": "2021-09-01T15:42:52",
"db": "PACKETSTORM",
"id": "164014"
},
{
"date": "2021-04-13T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2021-09-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202109-068"
},
{
"date": "2021-09-07T06:15:08.270000",
"db": "NVD",
"id": "CVE-2021-39278"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-07-26T05:57:00",
"db": "JVNDB",
"id": "JVNDB-2021-011303"
},
{
"date": "2021-04-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202104-975"
},
{
"date": "2021-09-14T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202109-068"
},
{
"date": "2021-09-09T23:31:00.307000",
"db": "NVD",
"id": "CVE-2021-39278"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202109-068"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural \u00a0MOXA\u00a0 Cross-site scripting vulnerabilities in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-011303"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "164014"
},
{
"db": "CNNVD",
"id": "CNNVD-202109-068"
}
],
"trust": 0.7
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.