MidnightBSD

Advisories for echelon

CVE-2018-10627 MEDIUM

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can use the SOAP API to retrieve and change sensitive configuration items such as the usernames and passwords for the Web and FTP servers. This vulnerability does not affect the i.LON 600 product.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,CWE-200,

Products Affected

Vendor Product Version
echelon smartserver_2_firmware *
echelon i.lon_100_firmware *
echelon smartserver_1_firmware *
CVE-2018-8851 MEDIUM

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices store passwords in plaintext, which may allow an attacker with access to the configuration file to log into the SmartServer web user interface.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-256,CWE-522,

Products Affected

Vendor Product Version
echelon smartserver_1_firmware -
echelon smartserver_2_firmware *
echelon i.lon_600_firmware -
echelon i.lon_100_firmware -
CVE-2018-8855 HIGH

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. The devices allow unencrypted Web connections by default, and devices can receive configuration and firmware updates by unsecure FTP.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-319,CWE-319,

Products Affected

Vendor Product Version
echelon smartserver_1_firmware -
echelon smartserver_2_firmware *
echelon i.lon_600_firmware -
echelon i.lon_100_firmware -
CVE-2018-8859 HIGH

Echelon SmartServer 1 all versions, SmartServer 2 all versions prior to release 4.11.007, i.LON 100 all versions, and i.LON 600 all versions. An attacker can bypass the required authentication specified in the security configuration file by including extra characters in the directory name when specifying the directory to be accessed. This vulnerability does not affect the i.LON 600 product.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-288,CWE-287,

Products Affected

Vendor Product Version
echelon smartserver_1_firmware -
echelon smartserver_2_firmware *
echelon i.lon_600_firmware -
echelon i.lon_100_firmware -
CVE-2022-3089

Echelon SmartServer 2.2 with i.LON Vision 2.2 stores cleartext credentials in a file, which could allow an attacker to obtain cleartext usernames and passwords of the SmartServer. If the attacker obtains the file, then the credentials could be used to control the web user interface and file transfer protocol (FTP) server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
ics-cert@hq.dhs.gov 6.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H 0.8 5.5
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
echelon i.lon_vision 2.2