Kaspersky Lab Advisory

(KL-MOXA-2018-105) Insecure Cookie Management

Affected Hardware/Software

Moxa OnCell G3100-HSPA Series Firmware version 1.4 Build 16062919 and prior

Severity level

Impact: Attacker can bruteforce authentication parameters
Access Vector: Remote
CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score: 9.8
CVE ID: CVE-2018-11426
CWE ID: 287

Hardware/Software description

Moxa OnCell G3100-HSPA Series devices are industrial five-band HSPA high speed IP gateways with VPN functionality

Vulnerability description

A weak Cookie parameter is used in the web application of OnCell G3100-HSPA Series version 1.4 Build 16062919 and prior. An attacker can brute force parameters required to bypass authentication and access the web interface to use all its functions except of the password change.

Mitigation

Apply firmware patch from vendor.

Credits

Vulnerability was discovered by Eugenie Potseluevskaya (Kaspersky Lab).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

KL-MOXA-2018-105.md

KL-MOXA-2018-105.md

Kaspersky Lab Advisory

(KL-MOXA-2018-105) Insecure Cookie Management

Affected Hardware/Software

Severity level

Hardware/Software description

Vulnerability description

Mitigation

Credits

Files

KL-MOXA-2018-105.md

Latest commit

History

KL-MOXA-2018-105.md

File metadata and controls

Kaspersky Lab Advisory

(KL-MOXA-2018-105) Insecure Cookie Management

Affected Hardware/Software

Severity level

Hardware/Software description

Vulnerability description

Mitigation

Credits