PT-2017-09: Information Disclosure in Hirschmann Automation and Control GmbH Classic Platform Switches Vulnerable products RS Version: all versions RSR Version: all versions RSB Version: all versions MACH100 Version: all versions MACH1000 Version: all versions MACH4000 Version: all versions MS Version: all versions OCTOPUS Version: all versions Link: http://www.hirschmann.com/ Severity level Severity level: Medium Impact: Information Disclosure Access Vector: Remote CVSS v3: Base Score: 5.9 Vector: (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVE: CVE-2018-5471 Vulnerability description The specialists of the Positive Research center have detected an Information Disclosure vulnerability in Hirschmann Automation and Control GmbH Classic Platform Switches. A cleartext transmission of information vulnerability in the web interface of Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches allows man-in-the-middle attackers to obtain sensitive data. How to fix Use the recommendations Advisory status 16.03.2017 - Vendor gets vulnerability details 06.03.2018 - Vendor releases fixed version and details 28.04.2018 - Public disclosure Credits The vulnerability was detected by Ilya Karpov, Evgeniy Druzhinin, and Damir Zainullin, Positive Research Center (Positive Technologies Company) References http://en.securitylab.ru/lab/PT-2017-09 Reports on the vulnerabilities previously discovered by Positive Research: https://www.ptsecurity.com/ https://en.securitylab.ru/lab/ About Positive Technologies Positive Technologies is a leading provider of vulnerability assessment, compliance management and threat analysis solutions to more than 1,000 global enterprise clients. Our solutions work seamlessly across your entire business: securing applications in development; assessing your network and application vulnerabilities; assuring compliance with regulatory requirements; and blocking real-time attacks. Our commitment to clients and research has earned Positive Technologies a reputation as one of the foremost authorities on SCADA, Banking, Telecom, Web Application and ERP security, and distinction as the #1 fastest growing Security and Vulnerability Management firm in 2012, as shown in an IDC report*. To learn more about Positive Technologies please visit www.ptsecurity.com *Source: IDC Worldwide Security and Vulnerability Management 2013-2017 Forecast and 2012 Vendor Shares, doc #242465, August 2013. Based on year-over-year revenue growth in 2012 for vendors with revenues of $20M+
