|2017-08-24||Other||Westermo||Mandar Jadhav from Qualys Security has identified the vulnerabilities.
||N/A||CVE-2017-1270 CVE-2017-1270 CVE-2016-5816 ||N/A||N/A||N/A|
# Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455
### VULNERABLE VENDOR
### VULNERABLE PRODUCT
MRD-305-DIN, MRD-315, MRD-355, and MRD-455
Mandar Jadhav from Qualys Security has identified the vulnerabilities.
### AFFECTED PRODUCTS
The following Westermo router models and firmware versions are affected:
MRD-305-DIN versions older than 184.108.40.206, and
MRD-315, MRD-355, MRD-455 versions older than 220.127.116.11
Successful exploitation of these vulnerabilities could allow a remote attacker to obtain hard-coded cryptographic keys, hard-coded credentials, or trick a user into submitting a malicious request, resulting in the attacker gaining unauthorized access to the device and running arbitrary code.
### VULNERABILITY OVERVIEW
CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
The application does not verify whether a request was intentionally provided by the user, making it possible for an attacker to trick a user into making a malicious request to the server.
CVE-2017-12703 has been assigned to this vulnerability.
A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
USE OF HARD-CODED CREDENTIALS CWE-798
The device utilizes hard-coded credentials, which could allow for unauthorized local low privileged access to the device.
CVE-2017-12709 has been assigned to this vulnerability.
A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
USE OF HARD-CODED CRYTPGRAPHIC KEY CWE-321
The device utilizes hard-coded private cryptographic keys that may allow an attacker to decrypt traffic from any other source.
CVE-2016-5816 has been assigned to this vulnerability.
A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)
Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, and Energy
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Sweden
Westermo recommends that users update to the latest firmware version 18.104.22.168. The new version can be downloaded at:
Westermo has also released a security advisory that can be found at: