Details of VAR-201702-0681

ID

VAR-201702-0681

CVE

CVE-2017-5163

TITLE

Belden Hirschmann GECKO Lite Managed Switch Information Disclosure Vulnerability

Trust: 1.4

sources: IVD: a34ae3a0-f5e1-4cf5-8d14-5eb39e89375f // CNVD: CNVD-2017-01671 // CNNVD: CNNVD-201702-269

DESCRIPTION

An issue was discovered in Belden Hirschmann GECKO Lite Managed switch, Version 2.0.00 and prior versions. After an administrator downloads a configuration file, a copy of the configuration file, which includes hashes of user passwords, is saved to a location that is accessible without authentication by path traversal. BeldenHirschmannGECKOLiteManagedSwitch is a switch product from Belden Corporation of the United States. An information disclosure vulnerability exists in BeldenHirschmannGECKOLiteManagedSwitch 2.0.00 and earlier. An attacker could exploit this vulnerability to obtain sensitive information. This may result in further attacks

Trust: 2.7

sources: NVD: CVE-2017-5163 // JVNDB: JVNDB-2017-001953 // CNVD: CNVD-2017-01671 // BID: 95815 // IVD: a34ae3a0-f5e1-4cf5-8d14-5eb39e89375f // VULHUB: VHN-113366

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: a34ae3a0-f5e1-4cf5-8d14-5eb39e89375f // CNVD: CNVD-2017-01671

AFFECTED PRODUCTS

vendor:	belden hirschmann	model:	gecko lite managed switch	scope:	lte	version:	2.0.00	Trust: 1.0
vendor:	belden	model:	gecko lite managed switch	scope:	-	version:	-	Trust: 0.8
vendor:	belden	model:	gecko lite managed switch	scope:	lte	version:	2.0.00	Trust: 0.8
vendor:	belden	model:	hirschmann gecko lite managed switch	scope:	lte	version:	<=2.0.00	Trust: 0.6
vendor:	belden hirschmann	model:	gecko lite managed switch	scope:	eq	version:	2.0.00	Trust: 0.6
vendor:	belden	model:	hirschmann gecko lite managed switch	scope:	eq	version:	2.0	Trust: 0.3
vendor:	belden	model:	hirschmann gecko lite managed switch	scope:	ne	version:	2.0.1	Trust: 0.3
vendor:	gecko lite managed switch	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: a34ae3a0-f5e1-4cf5-8d14-5eb39e89375f // CNVD: CNVD-2017-01671 // BID: 95815 // JVNDB: JVNDB-2017-001953 // CNNVD: CNNVD-201702-269 // NVD: CVE-2017-5163

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-5163
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-5163
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-01671
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201702-269
value:	MEDIUM
Trust: 0.6
IVD:	a34ae3a0-f5e1-4cf5-8d14-5eb39e89375f
value:	MEDIUM
Trust: 0.2
VULHUB:	VHN-113366
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-5163
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-01671
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	a34ae3a0-f5e1-4cf5-8d14-5eb39e89375f
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-113366
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-5163
baseSeverity:	MEDIUM
baseScore:	5.9
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.2
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: IVD: a34ae3a0-f5e1-4cf5-8d14-5eb39e89375f // CNVD: CNVD-2017-01671 // VULHUB: VHN-113366 // JVNDB: JVNDB-2017-001953 // CNNVD: CNNVD-201702-269 // NVD: CVE-2017-5163

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-113366 // JVNDB: JVNDB-2017-001953 // NVD: CVE-2017-5163

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201702-269

TYPE

Path traversal

Trust: 0.8

sources: IVD: a34ae3a0-f5e1-4cf5-8d14-5eb39e89375f // CNNVD: CNNVD-201702-269

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-001953

PATCH

title:	Lite Managed Industrial Switch - GECKO 4TX	url:	http://www.hirschmann.com/en/Hirschmann_Produkte/Industrial_Ethernet/GECKO_4TX/index.phtml	Trust: 0.8
title:	BeldenHirschmannGECKOLiteManagedSwitch Information Disclosure Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/89569	Trust: 0.6
title:	Belden Hirschmann GECKO Lite Managed Switch Repair measures for information disclosure vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=67554	Trust: 0.6

sources: CNVD: CNVD-2017-01671 // JVNDB: JVNDB-2017-001953 // CNNVD: CNNVD-201702-269

EXTERNAL IDS

db:	NVD	id:	CVE-2017-5163	Trust: 3.6
db:	BID	id:	95815	Trust: 2.6
db:	ICS CERT	id:	ICSA-17-026-02	Trust: 2.0
db:	CNNVD	id:	CNNVD-201702-269	Trust: 0.9
db:	CNVD	id:	CNVD-2017-01671	Trust: 0.8
db:	ICS CERT	id:	ICSA-17-026-02A	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-001953	Trust: 0.8
db:	IVD	id:	A34AE3A0-F5E1-4CF5-8D14-5EB39E89375F	Trust: 0.2
db:	VULHUB	id:	VHN-113366	Trust: 0.1

sources: IVD: a34ae3a0-f5e1-4cf5-8d14-5eb39e89375f // CNVD: CNVD-2017-01671 // VULHUB: VHN-113366 // BID: 95815 // JVNDB: JVNDB-2017-001953 // CNNVD: CNNVD-201702-269 // NVD: CVE-2017-5163

REFERENCES

url:	http://www.securityfocus.com/bid/95815	Trust: 2.3
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-026-02	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5163	Trust: 0.8
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-026-02a	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2017-5163	Trust: 0.8
url:	https://www.belden.com/	Trust: 0.3
url:	https://ics-cert.us-cert.gov/advisories/icsa-17-026-02	Trust: 0.3

sources: CNVD: CNVD-2017-01671 // VULHUB: VHN-113366 // BID: 95815 // JVNDB: JVNDB-2017-001953 // CNNVD: CNNVD-201702-269 // NVD: CVE-2017-5163

CREDITS

Davy Douhine of RandoriSec identified this vulnerability.

Trust: 0.9

sources: BID: 95815 // CNNVD: CNNVD-201702-269

SOURCES

db:	IVD	id:	a34ae3a0-f5e1-4cf5-8d14-5eb39e89375f
db:	CNVD	id:	CNVD-2017-01671
db:	VULHUB	id:	VHN-113366
db:	BID	id:	95815
db:	JVNDB	id:	JVNDB-2017-001953
db:	CNNVD	id:	CNNVD-201702-269
db:	NVD	id:	CVE-2017-5163

LAST UPDATE DATE

2025-04-20T23:23:52.775000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-01671	date:	2017-02-21T00:00:00
db:	VULHUB	id:	VHN-113366	date:	2017-03-03T00:00:00
db:	BID	id:	95815	date:	2017-02-02T02:02:00
db:	JVNDB	id:	JVNDB-2017-001953	date:	2017-03-24T00:00:00
db:	CNNVD	id:	CNNVD-201702-269	date:	2017-02-10T00:00:00
db:	NVD	id:	CVE-2017-5163	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	a34ae3a0-f5e1-4cf5-8d14-5eb39e89375f	date:	2017-02-21T00:00:00
db:	CNVD	id:	CNVD-2017-01671	date:	2017-02-21T00:00:00
db:	VULHUB	id:	VHN-113366	date:	2017-02-13T00:00:00
db:	BID	id:	95815	date:	2017-01-26T00:00:00
db:	JVNDB	id:	JVNDB-2017-001953	date:	2017-03-24T00:00:00
db:	CNNVD	id:	CNNVD-201702-269	date:	2017-01-26T00:00:00
db:	NVD	id:	CVE-2017-5163	date:	2017-02-13T21:59:02.877