Information disclosure in ABB VSN300 WiFi Logger Card

Published: 2017-07-12 12:39:53
Severity Low
Patch available YES
Number of vulnerabilities 2
CVSSv2 4.5 (AV:A/AC:L/Au:N/C:C/I:N/A:N/E:U/RL:OF/RC:C)
4.5 (AV:A/AC:L/Au:N/C:C/I:N/A:N/E:U/RL:OF/RC:C)
CVSSv3 5.5 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
5.5 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE ID CVE-2017-7920
CVE-2017-7916
CWE ID CWE-287
CWE-264
Exploitation vector Local network
Public exploit Not available
Vulnerable software VSN300 WiFi Logger Card
Vulnerable software versions VSN300 WiFi Logger Card 2.1.3
VSN300 WiFi Logger Card 1.8.15
VSN300 WiFi Logger Card 1.8.9
Vendor URL ABB
Advisory type Public

Security Advisory

1) Information disclosure

Description

The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.

The weakness exist due to improper authentication. An adjacent attacker can access a specific uniform resource locator (URL) on the web server, bypass authentication and obtain internal information about status and connected devices.

Successful exploitation of the vulnerability results in information disclosure.

Remediation

Update WiFi Logger Card to version 1.9.0 or later.
Update WiFi Logger Card for React to version 2.2.5 or later.

External links

https://ics-cert.us-cert.gov/advisories/ICSA-17-192-03

2) Information disclosure

Description

The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.

The weakness exist due to improper restriction of privileges of the “Guest” account. An adjacent attacker can gain access to configuration information that should be restricted.

Successful exploitation of the vulnerability results in information disclosure.

Remediation

Update WiFi Logger Card to version 1.9.0 or later.
Update WiFi Logger Card for React to version 2.2.5 or later.

External links

https://ics-cert.us-cert.gov/advisories/ICSA-17-192-03

Back to List