A cleartext transmission vulnerability exists in the web application functionality of Moxa SDS-3008 Series Industrial Ethernet Switch 2.1. A specially-crafted network sniffing can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Moxa SDS-3008 Series Industrial Ethernet Switch 2.1
SDS-3008 Series Industrial Ethernet Switch - https://www.moxa.com/en/products/industrial-network-infrastructure/ethernet-switches/layer-2-smart-switches/sds-3008-series
5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-319 - Cleartext Transmission of Sensitive Information
The SDS-3008 is an 8-port smart Ethernet switch designed for industrial environments. In addition to standard smart switch functionality such as IEEE 802.1Q VLAN, port mirroring and SNMP, the SDS-3008 also implements variations of EtherNet/IP, PROFINET and Modbus TCP to support management functions by “making it controllable and visible from automation HMIs.” The switch is primarily managed via a web application.
The default configuration of the SDS-3008 web application is configured to transmit credentials in cleartext. Neither the credentials nor the communication channel are encrypted, requiring administrators to explicitly disable unencrypted protocols.
An example login request is below:
POST /loginHistory.asp HTTP/1.1 Host: 192.168.127.253 Content-Length: 27 Referer: http://192.168.127.253/auth/accountpassword.asp Connection: close account=admin&password=moxa
Device administrators can disable the HTTP service in the “Management Interface” section of the web application.
2022-10-14 - Vendor Disclosure
2022-10-14 - Initial Vendor Contact
2023-02-02 - Public Release
2023-02-02 - Vendor Patch Release
Discovered by Patrick DeSantis of Cisco Talos.