SB2017071203 - Information disclosure in ABB VSN300 WiFi Logger Card
Published: July 12, 2017
Security Bulletin ID
SB2017071203
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Adjecent network
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2017-7920)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.
The weakness exist due to improper authentication. An adjacent attacker can access a specific uniform resource locator (URL) on the web server, bypass authentication and obtain internal information about status and connected devices.
Successful exploitation of the vulnerability results in information disclosure.
2) Information disclosure (CVE-ID: CVE-2017-7916)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.
The weakness exist due to improper restriction of privileges of the “Guest” account. An adjacent attacker can gain access to configuration information that should be restricted.
Successful exploitation of the vulnerability results in information disclosure.
Remediation
Install update from vendor's website.