Eaton Lighting Systems produced a firmware patch to mitigate vulnerabilities in its EG2 Web Control application, according to a report on ICS-CERT.
Eaton Lighting Systems’ EG2 Web Control V4.04P and prior suffer from the remotely exploitable vulnerabilities discovered by independent researcher Maxim Rupp.
A remote attacker may be able to exploit these vulnerabilities to perform administrative operations allowing the EG2 connection to configure the system via the Internet rather than by connecting directly into the network.
Eaton Lighting Systems is a U.S.-based company that maintains offices worldwide.
The affected products, EG2 Web Control, facilitate Internet and Wi-Fi LAN connection into the iLumin network. These products see use primarily in residential applications. Eaton Lighting Systems estimates these products see action globally.
In one of the vulnerabilities, attackers could easily modify cookies within the browser or by implementing the client-side code outside the browser.
CVE-2016-2272 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, an unauthorized user can directly access configuration file to view credentials.
CVE-2016-0871 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
Eaton Lighting Systems decided t o remove this functionality from the device. The EG2 is a legacy product moving to “end-of-life” later this year. New hardware and OS platform is replacing this system. Eaton Lighting Systems has produced a firmware patch to mitigate these vulnerabilities.
Contact Eaton Lighting Systems for advice on updating the firmware.
In the Americas, users can use this contact.
Or visit the Eaton cyber security web site for additional information.