Details of VAR-201604-0016

ID

VAR-201604-0016

CVE

CVE-2016-0871

TITLE

Eaton Lighting EG2 Web Control Vulnerable to reading configuration files

Trust: 0.8

sources: JVNDB: JVNDB-2016-001952

DESCRIPTION

Eaton Lighting EG2 Web Control 4.04P and earlier allows remote attackers to read the configuration file, and consequently discover credentials, via a direct request. EatonLightingSystemsEG2WebControl is a controller product from EatonLighting Systems of the United States for connecting the Internet and Wi-Fi LAN to the iLumin network. There is a certification bypass vulnerability in EatonLightingSystemsEG2WebControlV4.04P and earlier. A remote attacker could exploit the vulnerability to directly access the configuration file and view the certificate. Eaton Lighting Systems EG2 Web Control is prone to a security-bypass vulnerability and an information-disclosure vulnerability. Attackers can exploit these issues to bypass security restrictions and gain access to potentially sensitive information. This may aid in other attacks. EG2 Web Control 4.04P and prior versions are vulnerable

Trust: 2.43

sources: NVD: CVE-2016-0871 // JVNDB: JVNDB-2016-001952 // CNVD: CNVD-2016-02007 // BID: 85861

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-02007

AFFECTED PRODUCTS

vendor:	eaton lighting	model:	eg2 web control	scope:	lte	version:	4.04p	Trust: 1.0
vendor:	eaton	model:	eg2 web control	scope:	lte	version:	4.04p	Trust: 0.8
vendor:	eaton	model:	lighting systems eg2 web control >=4.04p	scope:	-	version:	-	Trust: 0.6
vendor:	eaton lighting	model:	eg2 web control	scope:	eq	version:	4.04p	Trust: 0.6

sources: CNVD: CNVD-2016-02007 // JVNDB: JVNDB-2016-001952 // CNNVD: CNNVD-201604-032 // NVD: CVE-2016-0871

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-0871
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-0871
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2016-02007
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201604-032
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2016-0871
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-02007
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2016-0871
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-02007 // JVNDB: JVNDB-2016-001952 // CNNVD: CNNVD-201604-032 // NVD: CVE-2016-0871

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2016-001952 // NVD: CVE-2016-0871

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201604-032

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201604-032

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001952

PATCH

title:	Ethernet Gateway	url:	http://www.ilight.co.uk/products-interfaces.html	Trust: 0.8
title:	EatonLightingSystemsEG2WebControl authentication bypasses the patch for the vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/73685	Trust: 0.6
title:	Eaton Lighting Systems EG2 Web Control Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60767	Trust: 0.6

sources: CNVD: CNVD-2016-02007 // JVNDB: JVNDB-2016-001952 // CNNVD: CNNVD-201604-032

EXTERNAL IDS

db:	NVD	id:	CVE-2016-0871	Trust: 3.3
db:	ICS CERT	id:	ICSA-16-061-03	Trust: 3.0
db:	JVNDB	id:	JVNDB-2016-001952	Trust: 0.8
db:	CNVD	id:	CNVD-2016-02007	Trust: 0.6
db:	CNNVD	id:	CNNVD-201604-032	Trust: 0.6
db:	BID	id:	85861	Trust: 0.3

sources: CNVD: CNVD-2016-02007 // BID: 85861 // JVNDB: JVNDB-2016-001952 // CNNVD: CNNVD-201604-032 // NVD: CVE-2016-0871

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-061-03	Trust: 3.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-0871	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-0871	Trust: 0.8

sources: CNVD: CNVD-2016-02007 // JVNDB: JVNDB-2016-001952 // CNNVD: CNNVD-201604-032 // NVD: CVE-2016-0871

CREDITS

Maxim Rupp

Trust: 0.9

sources: BID: 85861 // CNNVD: CNNVD-201604-032

SOURCES

db:	CNVD	id:	CNVD-2016-02007
db:	BID	id:	85861
db:	JVNDB	id:	JVNDB-2016-001952
db:	CNNVD	id:	CNNVD-201604-032
db:	NVD	id:	CVE-2016-0871

LAST UPDATE DATE

2025-04-12T23:15:36.072000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-02007	date:	2016-04-07T00:00:00
db:	BID	id:	85861	date:	2016-04-06T00:00:00
db:	JVNDB	id:	JVNDB-2016-001952	date:	2016-04-08T00:00:00
db:	CNNVD	id:	CNNVD-201604-032	date:	2016-04-07T00:00:00
db:	NVD	id:	CVE-2016-0871	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-02007	date:	2016-04-07T00:00:00
db:	BID	id:	85861	date:	2016-04-06T00:00:00
db:	JVNDB	id:	JVNDB-2016-001952	date:	2016-04-08T00:00:00
db:	CNNVD	id:	CNNVD-201604-032	date:	2016-04-06T00:00:00
db:	NVD	id:	CVE-2016-0871	date:	2016-04-06T23:59:03.457