Executive Summary
Summary | |
---|---|
Title | IntelliCom NetBiter devices have default HICP passwords |
Informations | |||
---|---|---|---|
Name | VU#902793 | First vendor Publication | 2010-04-05 |
Vendor | VU-CERT | Last vendor Modification | 2010-04-07 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#902793IntelliCom NetBiter devices have default HICP passwordsOverviewIntelliCom NetBiter devices ship with default passwords for the HICP network configuration service. An attacker with network access could change network settings and prevent legitimate users from accessing the HICP service.I. DescriptionIntelliCom NetBiter products use the proprietary HICP protocol to configure ethernet and IP network settings. NetBiter devices ship with default, well-known HICP passwords. The password is not hard-coded (persistent) as described in the original post by Rubén Santamarta. The password is set by default but can be changed.II. ImpactAn attacker with network access could change network settings and prevent legitimate users from accessing the HICP service. HICP transmits the password in plain text, so the attacker may also be able to monitor HICP communication and read the changed password.III. SolutionChange default passwordsChange the default password before deploying NetBiter devices in an production environment. Please see IntelliCom Security Bulletin ISFR-4404-0008.
References
This information was published by Rubén Santamarta. The default password is also documented in NetBiter user manuals. ICS-CERT researched this vulnerability and confirmed that the HICP password can be changed and is not persistent. This document was written by Art Manion.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/902793 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-255 | Credentials Management |
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
61506 | Intellicom NetBiter Firmware Default Persistent HICP Password By default, NetBiter Firmware installs with a default password. The admin account has a password of 'admin' which is publicly known and documented. This allows attackers to trivially access the program or system. |