CVE-2019-9098

Name of the Vulnerable Software and Affected Versions Moxa MGate MB3170 versions prior to 4.1 Moxa MGate MB3180 versions prior to 2.1 Moxa MGate MB3270 versions prior to 4.1 Moxa MGate MB3280 versions prior to 3.1 Moxa MGate MB3480 versions prior to 3.1 Moxa MGate MB3660 versions prior to 2.3

Description The issue is related to an integer overflow in the built-in web server of Moxa MGate devices, which allows remote attackers to initiate a denial of service (DoS). The vulnerability is also associated with a buffer overflow in the stack when processing input data in the Content-Length parameter, potentially allowing an attacker to execute arbitrary code or cause a denial of service using a specially crafted packet.

Recommendations For Moxa MGate MB3170 versions prior to 4.1, update to version 4.1 or later. For Moxa MGate MB3180 versions prior to 2.1, update to version 2.1 or later. For Moxa MGate MB3270 versions prior to 4.1, update to version 4.1 or later. For Moxa MGate MB3280 versions prior to 3.1, update to version 3.1 or later. For Moxa MGate MB3480 versions prior to 3.1, update to version 3.1 or later. For Moxa MGate MB3660 versions prior to 2.3, update to version 2.3 or later. As a temporary workaround, consider disabling the built-in web server until a patch is available. Restrict access to the vulnerable devices to minimize the risk of exploitation. Avoid using the Content-Length parameter in the affected API endpoint until the issue is resolved.