Full Report
Sensitive Information Stored in Clear Text in Moxa ThingsPro IIoT Gateway and Device Management Software.
Analysis Summary
# Vulnerability: Sensitive Information Stored in Clear Text in Moxa ThingsPro IIoT Gateway
## CVE Details
- CVE ID: CVE-2018-18394
- CVSS Score: 9.8 (Critical) - *Calculated based on provided vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which maps to a critical score.*
- CWE: [Not explicitly available, but implied sensitive data exposure]
## Affected Systems
- Products: Moxa ThingsPro IIoT Gateway and Device Management Software
- Versions: ThingsPro v. 2.1
- Configurations: Not specified, likely affecting default configurations.
## Vulnerability Description
Sensitive information, specifically access tokens, is stored in clear text within the Moxa ThingsPro software. A remote, unauthenticated attacker can recover these access tokens due to this lack of encryption for stored credentials/tokens.
## Exploitation
- Status: Unknown existence of exploit
- Complexity: Low (Based on CVSS vector: Attack Complexity Low, Authentication None)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High (C:H) - Full leak of sensitive tokens.
- Integrity: High (I:H) - If tokens grant high privileges.
- Availability: High (A:H) - If compromised session/tokens lead to service disruption.
## Remediation
### Patches
- Vendor mitigation: New firmware release for **ThingsPro Gateway Edition 2.3**. Users are instructed to contact their sales representative to obtain the firmware.
### Workarounds
- No specific workarounds were provided in the source material. (Implied mitigation would be restricting network access until patched.)
## Detection
- Detection methods were not explicitly listed. Indicators of compromise would involve monitoring for unauthorized retrieval of configuration files or logs containing clear-text tokens by external processes.
## References
- Vendor advisory: Moxa
- Kaspersky Advisory: hxxps://ics-cert.kaspersky.com/advisories/2018/10/18/klcert-18-022-moxa-thingspro-iiot-gateway-and-device-management-software-solutions-sensitive-information-stored-in-clear-text/