CVE-2018-10692 in AWK-3121
Summary
by MITRE
An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/28/2023
The vulnerability identified as CVE-2018-10692 affects Moxa AWK-3121 devices running firmware version 1.14, representing a critical security flaw in web application session management. This issue stems from the improper configuration of HTTP headers within the device's web interface, specifically concerning the session cookie named "Password508." The absence of the HttpOnly flag on this cookie creates a significant attack vector that can be exploited by malicious actors to compromise user sessions and gain unauthorized access to the device's administrative interface.
The technical flaw manifests in the web server's response headers where the HttpOnly attribute is missing from the session cookie implementation. According to CWE-1004, this represents a weakness in web application security where cookies are not properly secured against cross-site scripting attacks. The HttpOnly flag serves as a critical defense mechanism that prevents client-side scripts from accessing cookie data, thereby mitigating the risk of session hijacking attacks. Without this protection, any successful XSS payload executed on the device can directly access the session cookie through JavaScript's document.cookie property, enabling attackers to steal active sessions and impersonate legitimate users.
The operational impact of this vulnerability extends beyond simple session theft, as it provides attackers with persistent access to the device's administrative interface. This allows for complete compromise of the network device, enabling unauthorized configuration changes, data exfiltration, and potential lateral movement within the network infrastructure. The attack surface is particularly concerning for industrial control systems where Moxa AWK-3121 devices are commonly deployed, as these appliances often serve as critical network gateways. The vulnerability aligns with ATT&CK technique T1566.001, which describes credential harvesting through phishing attacks that leverage XSS vulnerabilities to steal session cookies and gain access to privileged accounts.
Security practitioners should consider implementing multiple layers of mitigation strategies to address this vulnerability. The primary recommendation involves updating the device firmware to a version that properly implements the HttpOnly flag for all session cookies. Organizations should also deploy web application firewalls and input validation mechanisms to prevent XSS attacks from occurring in the first place. Network segmentation and access controls should be implemented to limit the potential impact of successful exploitation. Additionally, regular security assessments and penetration testing should be conducted to identify similar misconfigurations in other network devices and web applications, as this vulnerability type remains prevalent in industrial control systems and embedded network appliances where security updates may be infrequent or delayed.