Authentication bypass in Echelon products - CVE-2018-8859
Published: July 19, 2018 / Updated: July 20, 2018
Vulnerability identifier: #VU13930
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-8859
CWE-ID: CWE-288
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Echelon
Affected software:
i.LON 100
SmartServer 2
SmartServer 1
i.LON 100
SmartServer 2
SmartServer 1
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication on the target system.
The vulnerability exists due to an error when using an alternate path or channel. A remote unauthenticated attacker can include extra characters in the directory name when specifying the directory to be accessed and bypass the required authentication specified in the security configuration file.
How to mitigate CVE-2018-8859
Update SmartSever 2 to version 4.11.007.