SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-648889685] Eaton xComfort Ethernet Communication Interface

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-03-02OtherEatonMaxim Rupp identified the vulnerability. N/ACVE-2016-9368 N/AN/AN/A

Source

						
							
								
#
# Eaton xComfort Ethernet Communication Interface
#


### VULNERABLE VENDOR
Eaton


### VULNERABLE PRODUCT
xComfort Ethernet Communication Interface



### RESEARCHER
Maxim Rupp identified the vulnerability.



### AFFECTED PRODUCTS

The following versions of xComfort Ethernet Communication Interface (ECI), a building automation system, are affected:

xComfort ECI Versions 1.07 and prior.



### IMPACT

Successful exploitation of this vulnerability may allow a remote attacker to access backup files and system logs without authenticating.



### VULNERABILITY OVERVIEW

IMPROPER ACCESS CONTROL CWE-284
By accessing a specific uniform resource locator (URL) on the webserver, a malicious user may be able to access files without authenticating.
CVE-2016-9368 has been assigned to this vulnerability.
A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)





### BACKGROUND

Critical Infrastructure Sector(s): Commercial Facilities
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Dublin, Ireland




### MITIGATION

Eaton recommends that affected users upgrade to the latest version of the software which is downloadable from the Software Downloads tab under the Documentation tab at the following link:

http://www.eaton.eu/Europe/Electrical/ProductsServices/Residential/xComfort-RFSmartHomeSolutions/index.htm?wtredirect=www.eaton.eu/xcomfort#tabs-11