#VU7472 Information disclosure in VSN300 WiFi Logger Card
Vulnerability identifier: #VU7472
Vulnerability risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
VSN300 WiFi Logger Card
Hardware solutions /
Firmware
Vendor: ABB
Description
The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.
The weakness exist due to improper authentication. An adjacent attacker can access a specific uniform resource locator (URL) on the web server, bypass authentication and obtain internal information about status and connected devices.
Successful exploitation of the vulnerability results in information disclosure.
Mitigation
Update WiFi Logger Card to version 1.9.0 or later.
Update WiFi Logger Card for React to version 2.2.5 or later.
Vulnerable software versions
VSN300 WiFi Logger Card: 1.8.9 - 2.1.3
External links
http://ics-cert.us-cert.gov/advisories/ICSA-17-192-03
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
