External risk intelligence

Echelon SmartServer and i.LON Password Exposure Risk

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2018-8851

Certain Echelon devices store passwords in plain text, enabling an attacker with configuration file access to log into the web interface. This could lead to unauthorized system access, impacting operations and data. The realistic business risk involves potential compromise of industrial control systems and related oper

4Halo Surface Signal

Echelon Smartserver 1 Firmware

before 4.11.007

External exposure likelihood

Halo Surface Signal score for CVE-2018-8851

The affected products are industrial gateways and servers designed for remote management and connectivity. These devices often feature web-based user interfaces and are commonly deployed as edge services to bridge operational technology networks with external management or monitoring systems, making them frequently accessible via the network.

Horizon Alert

Summary of the vulnerability and why it matters

Certain Echelon devices store user passwords in a format that can be easily read. This weakness could allow an attacker who gains access to a device's configuration files to log into the web interface. Such unauthorized access could lead to significant business disruption, potential data compromise, and compromise of operational systems.

Vulnerable Echelon devices
Plaintext password storage
Unauthorized system access

Attack Path

How an attacker could exploit the issue

The identified vulnerability allows an attacker with access to a device's configuration file to gain unauthorized access to the web user interface. This is due to the storage of passwords in plaintext within these files, enabling an attacker to potentially compromise system credentials. Once authenticated, an attacker could manipulate the device or access sensitive information.

Network access to configuration file.
Attacker reads plaintext passwords.
Attacker logs into web interface.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability exists in Echelon SmartServer and i.LON devices that allows for unauthorized access. An attacker could potentially gain administrative control over these devices by exploiting this flaw. This could lead to significant disruption of industrial control systems and associated business operations.

Likely attacker skill level: Low
Required access or conditions: Network access
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability involves the plaintext storage of passwords in certain Echelon devices, potentially allowing unauthorized access to the web user interface if an attacker obtains the configuration file. This could lead to a compromise of the device's administrative controls. Organizations should identify all Echelon SmartServer and i.LON devices that may be affected by this vulnerability.

Locate all exposed devices.
Restrict network access to affected devices.
Update firmware, verify the fix, and monitor activity.

Frequently asked questions

What are Echelon SmartServer and i.LON devices, and what is their purpose in industrial settings?

Echelon SmartServer 1 and 2, as well as i.LON 100 and 600 devices, function as industrial gateways and servers. They are utilized for remote management and establishing connectivity, frequently serving to link operational technology networks with external systems for monitoring or management.

What specific weakness does CVE-2018-8851 expose in Echelon devices, and what is the associated weakness class?

CVE-2018-8851 relates to CWE-256, a weakness class concerning the storage of passwords in plaintext. This means an attacker with access to configuration files can read passwords in a readable format, potentially enabling them to log into the device's web interface.

How can an attacker exploit CVE-2018-8851 to gain unauthorized access to Echelon devices?

An attacker can exploit CVE-2018-8851 by obtaining a device's configuration file. Since passwords are stored in plaintext within this file, the attacker can read them and use them to authenticate to the device's web user interface, gaining unauthorized access.

What is the significance of Halo Surface Signal classifying this CVE as 'Likely' relevant?

Halo Surface Signal assesses this CVE as 'Likely' relevant because the affected products are industrial gateways and servers with web interfaces, commonly deployed as edge services. Their function in connecting operational technology to external systems increases their network accessibility and potential for exploitation.

What steps should organizations take to address the vulnerability found in Echelon SmartServer and i.LON devices?

Organizations should first identify all potentially affected Echelon SmartServer and i.LON devices. Next, they must restrict network access to these devices. Finally, updating the firmware to a secure version, verifying the fix, and continuously monitoring for suspicious activity are crucial steps.

References

ics-cert.us-cert.gov/advisories/ICSA-18-200-03

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.