B+B SmartWorx Fixes Bypass Hole
Thursday, February 18, 2016 @ 04:02 PM gHale
B+B SmartWorx created an implementation plan to mitigate an authentication bypass vulnerability in its VESP211 serial servers, according to a report on ICS-CERT.
Successful exploitation of this vulnerability could allow attackers to perform administrative operations over the network without authentication.
The following VESP211 serial servers suffer from the remotely exploitable vulnerability discovered by independent researcher, Maxim Rupp:
• Model: VESP211-EU Firmware Version: 1.7.2
• Model: VESP211-232 Firmware Version: 1.7.2
• Model: VESP211-232 Firmware Version: 1.5.1
B+B SmartWorx is a U.S.-based company that has additional offices in Ireland and the Czech Republic. In January, B+B SmartWorx merged with Advantech, a Taiwan-based company.
The affected products, VESP211 serial servers, are an interface for connecting serial devices to an Ethernet network. VESP211 serial servers see action across several sectors including energy, telecommunications, and transportation. B+B SmartWorx estimates these products see use primarily in North America with a smaller percentage in Europe and South America.
CVE-2016-2275 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
No known public exploits specifically target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.
Advantech/B+B recommends users only operate VESP211 serial servers behind a local network firewall.