10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.075 Low
EPSS
Percentile
94.1%
Successful exploitation of these vulnerabilities could allow an attacker to view sensitive information, cause availability issues, and execute remote code.
The following versions of AWK-3121, a wireless access point/bridge/client, are affected:
The device uses HTTP traffic by default allowing insecure communication to the web server, which could allow an attacker to compromise sensitive data such as credentials.
CVE-2018-10690 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
An attacker can navigate to a URL and download the system log without authentication, which may allow access to sensitive information.
CVE-2018-10691 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A cross-site scripting attack allows access to session cookies, which may allow an attacker to login into the device.
CVE-2018-10692 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
An unauthorized user may execute network troubleshooting commands to cause a buffer overflow condition, which may allow the attacker to execute commands on the device.
CVE-2018-10693 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The Wi-Fi connection used to set up the device is not encrypted by default, which may allow an attacker to capture sensitive data.
CVE-2018-10694 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
An unauthorized user may cause a buffer overflow using the device alert functionality, which may allow the attacker to execute commands on the device.
CVE-2018-10695 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The web interface is not protected against CSRF attacks, which may allow an attacker to trick a user into executing commands or actions by clicking a malicious link.
CVE-2018-10696 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An unauthorized user may inject malicious commands into the system while using network troubleshooting functions, which may allow the attacker to execute unauthorized commands on the device.
CVE-2018-10697 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The system enables an insecure service by default, which may allow an attacker to view sensitive information or modify information being transmitted through a man-in-the-middle attack.
CVE-2018-10698 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthorized user can inject malicious commands while using system certificate functions, which may allow the attacker to execute unauthorized commands on the device.
CVE-2018-10699 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An unauthorized user can execute an XSS attack, which may allow the injection of a malicious payload on the server.
CVE-2018-10700 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
An unauthorized user may cause a buffer overflow on the system using system troubleshooting functions, which may allow the attacker to execute commands.
CVE-2018-10701 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An unauthorized user may inject malicious commands on the system using system troubleshooting functions, which may allow the attacker to execute commands on the device.
CVE-2018-10702 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An unauthorized user may cause a buffer overflow on the system using system troubleshooting functions, which may allow the attacker to execute commands on the device.
CVE-2018-10703 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Samuel Huntley reported these vulnerabilities to CISA.
Moxa notes this device has reached end of life and has been replaced by model AWK-1131A (see Moxa bulletin). Moxa recommends users apply the latest security patch, which can be obtained by contacting customer service at the following link:
<https://www.moxa.com/en/support/support/technical-support>
For additional information see the Moxa advisory.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10690
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10691
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10692
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10693
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10694
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10695
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10696
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10697
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10698
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10699
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10700
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10701
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10702
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10703
cwe.mitre.org/data/definitions/1004.html
cwe.mitre.org/data/definitions/119.html
cwe.mitre.org/data/definitions/119.html
cwe.mitre.org/data/definitions/119.html
cwe.mitre.org/data/definitions/119.html
cwe.mitre.org/data/definitions/284.html
cwe.mitre.org/data/definitions/319.html
cwe.mitre.org/data/definitions/319.html
cwe.mitre.org/data/definitions/319.html
cwe.mitre.org/data/definitions/352.html
cwe.mitre.org/data/definitions/77.html
cwe.mitre.org/data/definitions/77.html
cwe.mitre.org/data/definitions/77.html
cwe.mitre.org/data/definitions/79.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Moxa%20AWK-3121+https://www.cisa.gov/news-events/ics-advisories/icsa-19-337-02
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-19-337-02&title=Moxa%20AWK-3121
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-19-337-02
www.moxa.com/en/products/phased-out-products/awk-3121-series
www.moxa.com/en/support/support/security-advisory/awk-3121-series-industrial-ap-bridge-client-vulnerabilities
www.moxa.com/en/support/support/technical-support
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-19-337-02
www.us-cert.gov/ics
www.us-cert.gov/ics
www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01
www.us-cert.gov/ics/recommended-practices
www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B
www.us-cert.gov/ncas/tips/ST04-014
www.us-cert.gov/sites/default/files/publications/emailscams_0905.pdf
www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Moxa%20AWK-3121&body=www.cisa.gov/news-events/ics-advisories/icsa-19-337-02
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.7 High
AI Score
Confidence
High
0.075 Low
EPSS
Percentile
94.1%