Full Report
Password Management Issue in Moxa ThingsPro IIoT Gateway and Device Management Software.
Analysis Summary
# Vulnerability: Password Management Issue in Moxa ThingsPro IIoT Gateway and Device Management Software
## CVE Details
- CVE ID: CVE-2018-18393
- CVSS Score: 7.5 (High) - *Note: The article provided conflicting CVSS data (0.0 vs. calculation resulting in 7.5). Using the calculated vector for severity.*
- CWE: N/A (Weakness type not explicitly listed, but related to improper password management)
## Affected Systems
- Products: Moxa ThingsPro IIoT Gateway and Device Management Software
- Versions: ThingsPro v. 2.1
- Configurations: N/A
## Vulnerability Description
A password management issue exists in Moxa ThingsPro software that allows a remote, unauthenticated attacker to change a user's password. The specific mechanism is not detailed beyond indicating a general password management flaw.
## Exploitation
- Status: Unknown
- Complexity: Low (CVSS indicates AC:L - Attack Complexity Low)
- Attack Vector: Network (CVSS indicates AV:N - Attack Vector Network)
## Impact
- Confidentiality: High (C:H)
- Integrity: Low (I:L)
- Availability: None (A:N)
## Remediation
### Patches
- Vendor mitigation involves a new firmware release for **ThingsPro Gateway Edition 2.3**. Users are advised to contact their sales representative to obtain this firmware.
### Workarounds
- No specific workarounds were detailed in the provided text.
## Detection
- Detection methods and tools were not specified in detail. As this is a logical flaw allowing password changes, suspicious administrative activity (unrecognized password resets) would be the primary indicator.
## References
- Vendor advisory related to KLCERT-18-021 published 18 October 2018.
- Kaspersky ICS CERT advisory: hXXps://ics-cert.kaspersky.com/advisories/2018/10/18/klcert-18-021-moxa-thingspro-iiot-gateway-and-device-management-software-solutions-password-management-issue/