Echelon has updated software to mitigate multiple vulnerabilities in its SmartServer 1, SmartServer 2, i.LON 100, and i.LON 600 products, according to a report with NCCIC.
The vulnerabilities include an information exposure, authentication bypass using an alternate path or channel, unprotected storage of credentials, and a cleartext transmission of sensitive information.
Successful exploitation of these remotely exploitable vulnerabilities, discovered by Echelon who worked with Daniel Crowley and IBM’s X-Force Red team, could allow for remote code execution on the device.
The following Smart Server and i.LON products, which are network devices, suffer from the issues:
• SmartServer 1 all versions
• SmartServer 2 all versions prior to release 4.11.007
• i.LON 100 all versions
• i.LON 600 all versions
An attacker can use the SOAP API to retrieve and change sensitive configuration items such as the usernames and passwords for the Web and FTP servers. This vulnerability does not affect the i.LON 600 product.
CVE-2018-10627 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In addition, an attacker can bypass the required authentication specified in the security configuration file by including extra characters in the directory name when specifying the directory to be accessed. This vulnerability does not affect the i.LON 600 product.
CVE-2018-8859 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
Also, the devices store passwords in plaintext, which may allow an attacker with access to the configuration file to log into the SmartServer web user interface.
CVE-2018-8851 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In addition, the devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.
CVE-2018-8855 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
The product sees use mainly in the commercial facilities, critical manufacturing and information technology sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Santa Clara, California-based Echelon recommends affected users install SmartServer 2 Service Pack 7 (Version 4.11.007), to mitigate CVE-2018-8859, CVE-2018-8851, and CVE-2018-8855.
The following manual mitigation is also recommended:
For CVE-2018-10627, Echelon recommends affected users modify the WebParams.dat file.
Echelon recommends the following mitigation is implemented until SmartServer 2 Service Pack 7 is installed:
• All SmartServer and i.LON 600 devices along with any servers using the SmartServer and i.Lon services should be installed behind a firewall or on a VLAN without other devices
• Change the username and password during the initial installation of the affected products
• Disable unencrypted services and secure encrypted services for the SmartServer or i.LON 100