Information disclosure in Echelon products - CVE-2018-10627
Published: July 19, 2018 / Updated: July 20, 2018
Vulnerability identifier: #VU13929
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-10627
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Echelon
Affected software:
i.LON 100
SmartServer 2
SmartServer 1
i.LON 100
SmartServer 2
SmartServer 1
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to unspecified flaw. A remote attacker can use the SOAP API to retrieve and change sensitive configuration items such as the usernames and passwords for the Web and FTP servers.
How to mitigate CVE-2018-10627
Echelon recommends affected users modify the WebParams.dat file.
Echelon recommends that the following mitigation is implemented until SmartServer 2 Service Pack 7 is installed:
- All SmartServer and i.LON 600 devices along with any servers using the SmartServer and i.Lon services should be installed behind a firewall or on a VLAN without other devices.
- Change the username and password during the initial installation of the affected products.
- Disable unencrypted services and secure encrypted services for the SmartServer or i.LON 100.