Information disclosure in ABB Ellipse

Published: 2017-12-22 12:48:08
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2017-16731
CVSSv3 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-523
Exploitation vector Network
Public exploit Not available
Vulnerable software Ellipse
Vulnerable software versions Ellipse 8.9.6
Ellipse 8.8.12
Ellipse 8.7.18
Show more
Vendor URL ABB

Security Advisory

1) Information disclosure

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in the authentication of Ellipse to LDAP/AD using the LDAP protocol due to unprotected transport of credentials. A remote attacker can sniff local network traffic and discovery authentication credentials.

Remediation

The vulnerability is addressed in the following versions: 8.5.26 Release 7, 8.6.21 Release 5, 8.7.18 Release 7, 8.8.12 Release 7, 8.9.6 Release 7.

External links

https://ics-cert.us-cert.gov/advisories/ICSA-17-353-01

Back to List