Executive Summary

Summary
Title Hirschmann "Classic Platform" switches reveal administrator password in SNMP community string by default
Informations
Name VU#507216 First vendor Publication 2016-02-16
Vendor VU-CERT Last vendor Modification 2016-02-16
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score 2.9 Attack Range Adjacent network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 5.5 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#507216

Hirschmann "Classic Platform" switches reveal administrator password in SNMP community string by default

Original Release date: 16 Feb 2016 | Last revised: 16 Feb 2016

Overview

Hirschmann "Classic Platform" switches contain a password sync feature that syncs the switch administrator password with the SNMP community password, exposing the administrator password to attackers on the local network.

Description

CWE-257: Storing Passwords in a Recoverable Format

For all Hirschmann (part of Belden) "Classic Platform" switches (which includes the MACH series workgroup switches, among others), by default, the switch administrator password is used to construct an SNMP community string that allows remote management of some switch configuration. Attackers on the local network with the ability to sniff network traffic may be able to recover the administrator password from the community string.

Belden has released security advisory BSECV-2016-2 which describes this issue in more detail.

Impact

An attacker on the local network may learn the switch administrator password from the SNMP community string, which is sent over the network in plaintext in SNMPv1 and SNMPv2.

Solution

Disable the SNMP Password Sync feature and use SNMPv3

Affected users may disable the password sync feature on their devices. For more information, please see Belden security advisory BSECV-2016-2. Users are also encouraged to use SNMPv3, which supports encrypted network traffic.

According to Hirschmann, the password sync feature was enabled by default to aid in network setup during the transition from SNMPv1/v2 to SNMPv3. Hirschmann has committed to disabling the password sync feature by default in future devices and firmware now that SNMPv3 is the default on their products.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
BeldenAffected-28 Jan 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base8.3AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal6.9E:F/RL:OF/RC:C
Environmental5.2CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://www.belden.com/resourcecenter/security/upload/Belden_Security_Advisory_BSECV-2016-2_1v0.pdf
  • http://www.hirschmann.com/en/Hirschmann_Produkte/Industrial_Ethernet/Workgroup-Switches_MACH100/index.phtml

Credit

Thanks to Mark Jaques for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:Unknown
  • Date Public:16 Feb 2016
  • Date First Published:16 Feb 2016
  • Date Last Updated:16 Feb 2016
  • Document Revision:58

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/507216

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

CPE : Common Platform Enumeration

TypeDescriptionCount
Hardware 1
Os 2

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
Date Informations
2016-03-23 09:27:15
  • Multiple Updates
2016-02-19 05:30:13
  • Multiple Updates
2016-02-17 00:29:38
  • Multiple Updates
2016-02-17 00:25:15
  • Multiple Updates
2016-02-16 21:29:40
  • Multiple Updates
2016-02-16 21:24:23
  • First insertion