Sign-up

ID

VAR-201708-1123


CVE

CVE-2017-12709


TITLE

plural Westermo Vulnerabilities related to the use of hard-coded credentials in products

Trust: 0.8

sources: JVNDB: JVNDB-2017-007382

DESCRIPTION

A Use of Hard-Coded Credentials issue was discovered in MRD-305-DIN versions older than 1.7.5.0, and MRD-315, MRD-355, MRD-455 versions older than 1.7.5.0. The device utilizes hard-coded credentials, which could allow for unauthorized local low-privileged access to the device. plural Westermo The product contains a vulnerability related to the use of hard-coded credentials.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. The RD-305-DIN, MRD-315, MRD-355, and MRD-455 are all Westermo router devices. A number of Westermo routers have a hard-coded password vulnerability, and the device uses a hard-coded private key that allows an attacker to decrypt traffic from any other source. Multiple Westermo Routers are prone to the following security vulnerabilities: 1. A hard-coded credentials vulnerability 2. A cross-site request forgery vulnerability 3. Westermo MRD-305-DIN etc. The following products and versions are affected: Westermo MRD-305-DIN prior to 1.7.5.0, MRD-315 prior to 1.7.5.0, MRD-355 prior to 1.7.5.0, MRD-455 prior to 1.7.5.0

Trust: 3.24

sources: NVD: CVE-2017-12709 // JVNDB: JVNDB-2017-007382 // CNVD: CNVD-2017-23002 // CNVD: CNVD-2017-23003 // BID: 100470 // IVD: b092bd69-deb6-4923-9672-099597dfec25 // VULHUB: VHN-103258

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 1.2

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: b092bd69-deb6-4923-9672-099597dfec25 // CNVD: CNVD-2017-23002 // CNVD: CNVD-2017-23003

AFFECTED PRODUCTS

vendor:westermomodel:mrd-315-dinscope:eqversion: -

Trust: 1.6

vendor:westermomodel:mrd-305-dinscope:eqversion: -

Trust: 1.6

vendor:westermomodel:mrd-455-dinscope:eqversion: -

Trust: 1.6

vendor:westermomodel:mrd-355-dinscope:eqversion: -

Trust: 1.6

vendor:westermomodel:mrd-305-dinscope:ltversion:1.7.5.0

Trust: 1.2

vendor:westermomodel:mrd-315scope:ltversion:1.7.5.0

Trust: 1.2

vendor:westermomodel:mrd-355scope:ltversion:1.7.5.0

Trust: 1.2

vendor:westermomodel:mrd-455scope:ltversion:1.7.5.0

Trust: 1.2

vendor:westermomodel:mrd-305-dinscope:lteversion:1.7.5.0

Trust: 0.8

vendor:westermomodel:mrd-315scope:lteversion:1.7.5.0

Trust: 0.8

vendor:westermomodel:mrd-355scope:lteversion:1.7.5.0

Trust: 0.8

vendor:westermomodel:mrd-455scope:lteversion:1.7.5.0

Trust: 0.8

vendor:westermomodel:mrd-455scope:eqversion:1.7.5.0

Trust: 0.3

vendor:westermomodel:mrd-355scope:eqversion:1.7.5.0

Trust: 0.3

vendor:westermomodel:mrd-315scope:eqversion:1.7.5.0

Trust: 0.3

vendor:westermomodel:mrd-305-dinscope:eqversion:1.7.5.0

Trust: 0.3

vendor:westermomodel:mrd-455scope:neversion:1.7.7.0

Trust: 0.3

vendor:westermomodel:mrd-355scope:neversion:1.7.7.0

Trust: 0.3

vendor:westermomodel:mrd-315scope:neversion:1.7.7.0

Trust: 0.3

vendor:westermomodel:mrd-305-dinscope:neversion:1.7.7.0

Trust: 0.3

vendor:mrd 305 dinmodel: - scope:eqversion: -

Trust: 0.2

vendor:mrd 315 dinmodel: - scope:eqversion: -

Trust: 0.2

vendor:mrd 355 dinmodel: - scope:eqversion: -

Trust: 0.2

vendor:mrd 455 dinmodel: - scope:eqversion: -

Trust: 0.2

sources: IVD: b092bd69-deb6-4923-9672-099597dfec25 // CNVD: CNVD-2017-23002 // CNVD: CNVD-2017-23003 // BID: 100470 // JVNDB: JVNDB-2017-007382 // CNNVD: CNNVD-201708-1140 // NVD: CVE-2017-12709

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-12709
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-12709
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-23002
value: HIGH

Trust: 0.6

CNVD: CNVD-2017-23003
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201708-1140
value: MEDIUM

Trust: 0.6

IVD: b092bd69-deb6-4923-9672-099597dfec25
value: MEDIUM

Trust: 0.2

VULHUB: VHN-103258
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2017-12709
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-23002
severity: HIGH
baseScore: 9.4
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 9.2
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

CNVD: CNVD-2017-23003
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: b092bd69-deb6-4923-9672-099597dfec25
severity: MEDIUM
baseScore: 4.6
vectorString: AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 3.9
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-103258
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-12709
baseSeverity: MEDIUM
baseScore: 5.3
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 1.8
impactScore: 3.4
version: 3.0

Trust: 1.8

sources: IVD: b092bd69-deb6-4923-9672-099597dfec25 // CNVD: CNVD-2017-23002 // CNVD: CNVD-2017-23003 // VULHUB: VHN-103258 // JVNDB: JVNDB-2017-007382 // CNNVD: CNNVD-201708-1140 // NVD: CVE-2017-12709

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.9

sources: VULHUB: VHN-103258 // JVNDB: JVNDB-2017-007382 // NVD: CVE-2017-12709

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201708-1140

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201708-1140

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-007382

PATCH
title:Wireless routersurl:http://www.westermo.us/web/web_en_idc_us.nsf/AllDocuments/B84901DE5CC4368DC12578930031F1BC
Trust: 0.8
title:Patches for several Westermo router hardcoded password vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/100885
Trust: 0.6
title:Multiple Westermo routers hardcode patches for unauthorized access vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/100886
Trust: 0.6
title:Multiple Westermo Repair measures for device security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74298
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-23002 // 
            
            
            
            CNVD: CNVD-2017-23003 // 
            
            
            
            JVNDB: JVNDB-2017-007382 // 
            
            
            
            CNNVD: CNNVD-201708-1140

EXTERNAL IDS
db:ICS CERTid:ICSA-17-236-01
Trust: 4.0
db:NVDid:CVE-2017-12709
Trust: 3.6
db:BIDid:100470
Trust: 3.2
db:CNNVDid:CNNVD-201708-1140
Trust: 0.9
db:CNVDid:CNVD-2017-23003
Trust: 0.8
db:JVNDBid:JVNDB-2017-007382
Trust: 0.8
db:CNVDid:CNVD-2017-23002
Trust: 0.6
db:IVDid:B092BD69-DEB6-4923-9672-099597DFEC25
Trust: 0.2
db:VULHUBid:VHN-103258
Trust: 0.1
sources:
            
            
            IVD: b092bd69-deb6-4923-9672-099597dfec25 // 
            
            
            
            CNVD: CNVD-2017-23002 // 
            
            
            
            CNVD: CNVD-2017-23003 // 
            
            
            
            VULHUB: VHN-103258 // 
            
            
            
            BID: 100470 // 
            
            
            
            JVNDB: JVNDB-2017-007382 // 
            
            
            
            CNNVD: CNNVD-201708-1140 // 
            
            
            
            NVD: CVE-2017-12709

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-236-01
Trust: 4.0
url:http://www.securityfocus.com/bid/100470
Trust: 2.9
url:http://www.westermo.com/
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-12709
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-12709
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2017-23002 // 
            
            
            
            CNVD: CNVD-2017-23003 // 
            
            
            
            VULHUB: VHN-103258 // 
            
            
            
            BID: 100470 // 
            
            
            
            JVNDB: JVNDB-2017-007382 // 
            
            
            
            CNNVD: CNNVD-201708-1140 // 
            
            
            
            NVD: CVE-2017-12709

CREDITS
Mandar Jadhav from Qualys Security
Trust: 0.9
sources:
            
            
            BID: 100470 // 
            
            
            
            CNNVD: CNNVD-201708-1140

SOURCES
db:IVDid:b092bd69-deb6-4923-9672-099597dfec25
db:CNVDid:CNVD-2017-23002
db:CNVDid:CNVD-2017-23003
db:VULHUBid:VHN-103258
db:BIDid:100470
db:JVNDBid:JVNDB-2017-007382
db:CNNVDid:CNNVD-201708-1140
db:NVDid:CVE-2017-12709

LAST UPDATE DATE
2025-04-20T23:12:41.070000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-23002date:2017-08-26T00:00:00
db:CNVDid:CNVD-2017-23003date:2017-08-26T00:00:00
db:VULHUBid:VHN-103258date:2019-10-09T00:00:00
db:BIDid:100470date:2019-04-15T18:00:00
db:JVNDBid:JVNDB-2017-007382date:2017-09-20T00:00:00
db:CNNVDid:CNNVD-201708-1140date:2019-10-17T00:00:00
db:NVDid:CVE-2017-12709date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:IVDid:b092bd69-deb6-4923-9672-099597dfec25date:2017-08-26T00:00:00
db:CNVDid:CNVD-2017-23002date:2017-08-26T00:00:00
db:CNVDid:CNVD-2017-23003date:2017-08-26T00:00:00
db:VULHUBid:VHN-103258date:2017-08-25T00:00:00
db:BIDid:100470date:2017-08-24T00:00:00
db:JVNDBid:JVNDB-2017-007382date:2017-09-20T00:00:00
db:CNNVDid:CNNVD-201708-1140date:2017-08-28T00:00:00
db:NVDid:CVE-2017-12709date:2017-08-25T16:29:00.270