CVE-2019-9104 in MGate MB3170
Summary
by MITRE
An issue was discovered on Moxa MGate MB3170 and MB3270 devices before 4.1, MB3280 and MB3480 devices before 3.1, MB3660 devices before 2.3, and MB3180 devices before 2.1. The application's configuration file contains parameters that represent passwords in cleartext.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/13/2024
This vulnerability affects multiple Moxa MGate series industrial communication devices including MB3170, MB3270, MB3280, MB3480, MB3660, and MB3180 models. The security flaw stems from improper handling of authentication credentials within the device configuration files, where passwords are stored in plaintext format rather than being properly encrypted or hashed. This represents a fundamental weakness in the device's credential management architecture that directly violates established security best practices for industrial control systems.
The technical implementation of this vulnerability involves the application's configuration file structure which intentionally stores sensitive authentication parameters in readable format. This design flaw allows any user with access to the device's file system or configuration interfaces to directly read and extract password values without requiring additional cryptographic attacks or exploitation techniques. The cleartext storage of passwords creates an immediate privilege escalation vector for attackers who gain access to the device configuration files, as they can immediately obtain valid credentials for administrative accounts and other system services.
The operational impact of this vulnerability extends beyond simple credential exposure, as it fundamentally undermines the security posture of industrial networks that rely on these devices for communication and control functions. Attackers who can access the configuration files can establish persistent access to the affected devices and potentially use the extracted credentials to move laterally within industrial control networks. This vulnerability particularly affects environments where industrial protocols and communication gateways are deployed, as it enables attackers to compromise the integrity of communication channels between operational technology and information technology systems. The risk is compounded by the fact that these devices often operate in critical infrastructure environments where unauthorized access could lead to significant operational disruptions or safety hazards.
Organizations should implement immediate mitigations including restricting physical and network access to affected devices, implementing file system access controls to prevent unauthorized reading of configuration files, and establishing regular credential rotation procedures. The vulnerability aligns with CWE-312 (Cleartext Storage of Sensitive Information) and represents a critical weakness in the device's security architecture that violates NIST SP 800-82 guidelines for industrial control systems. Network segmentation and monitoring for unauthorized file access attempts should be implemented as additional defensive measures, while affected devices should be upgraded to versions that properly encrypt or hash password values within configuration files. The ATT&CK framework categorizes this vulnerability under T1552 (Credentials in Files) and T1078 (Valid Accounts) as it enables both credential theft and legitimate account usage through compromised authentication information.