Details of VAR-201805-0207

ID

VAR-201805-0207

CVE

CVE-2016-9335

TITLE

Red Lion Controls Sixnet-Managed Industrial Switches and Stride-Managed Ethernet Switches Vulnerabilities related to the use of hard-coded credentials in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2016-009039

DESCRIPTION

A hard-coded cryptographic key vulnerability was identified in Red Lion Controls Sixnet-Managed Industrial Switches running firmware Version 5.0.196 and Stride-Managed Ethernet Switches running firmware Version 5.0.190. Vulnerable versions of Stride-Managed Ethernet switches and Sixnet-Managed Industrial switches use hard-coded HTTP SSL/SSH keys for secure communication. Because these keys cannot be regenerated by users, all products use the same key. The attacker could disrupt communication or compromise the system. CVSS v3 base score: 10, CVSS vector string: (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Red Lion Controls recommends updating to SLX firmware Version 5.3.174

Trust: 2.7

sources: NVD: CVE-2016-9335 // JVNDB: JVNDB-2016-009039 // CNVD: CNVD-2017-02585 // IVD: 7d7ae200-463f-11e9-ba56-000c29342cb1 // IVD: b4b525b8-c3bc-49ae-ba77-47d9bb95900f // VULHUB: VHN-98155 // VULMON: CVE-2016-9335

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.0

sources: IVD: 7d7ae200-463f-11e9-ba56-000c29342cb1 // IVD: b4b525b8-c3bc-49ae-ba77-47d9bb95900f // CNVD: CNVD-2017-02585

AFFECTED PRODUCTS

vendor:	redlion	model:	stride-managed ethernet switches	scope:	lte	version:	5.0.190	Trust: 1.0
vendor:	redlion	model:	sixnet-managed industrial switches	scope:	lte	version:	5.0.196	Trust: 1.0
vendor:	red lion controls	model:	sixnet-managed industrial switches	scope:	eq	version:	5.0.196	Trust: 0.8
vendor:	red lion controls	model:	stride-managed ethernet switches	scope:	eq	version:	5.0.190	Trust: 0.8
vendor:	red	model:	lion controls sixnet-managed industrial switches	scope:	lte	version:	<=5.0.196	Trust: 0.6
vendor:	red	model:	lion controls stride-managed ethernet switches	scope:	lte	version:	<=5.0.190	Trust: 0.6
vendor:	redlion	model:	sixnet-managed industrial switches	scope:	eq	version:	5.0.196	Trust: 0.6
vendor:	redlion	model:	stride-managed ethernet switches	scope:	eq	version:	5.0.190	Trust: 0.6
vendor:	sixnet managed industrial switches	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	stride managed ethernet switches	model:	-	scope:	eq	version:	*	Trust: 0.4

sources: IVD: 7d7ae200-463f-11e9-ba56-000c29342cb1 // IVD: b4b525b8-c3bc-49ae-ba77-47d9bb95900f // CNVD: CNVD-2017-02585 // JVNDB: JVNDB-2016-009039 // CNNVD: CNNVD-201704-556 // NVD: CVE-2016-9335

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-9335
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2016-9335
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2017-02585
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201704-556
value:	CRITICAL
Trust: 0.6
IVD:	7d7ae200-463f-11e9-ba56-000c29342cb1
value:	CRITICAL
Trust: 0.2
IVD:	b4b525b8-c3bc-49ae-ba77-47d9bb95900f
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-98155
value:	HIGH
Trust: 0.1
VULMON:	CVE-2016-9335
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-9335
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2017-02585
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	7d7ae200-463f-11e9-ba56-000c29342cb1
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	b4b525b8-c3bc-49ae-ba77-47d9bb95900f
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-98155
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-9335
baseSeverity:	CRITICAL
baseScore:	10.0
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	6.0
version:	3.0
Trust: 1.8

sources: IVD: 7d7ae200-463f-11e9-ba56-000c29342cb1 // IVD: b4b525b8-c3bc-49ae-ba77-47d9bb95900f // CNVD: CNVD-2017-02585 // VULHUB: VHN-98155 // VULMON: CVE-2016-9335 // JVNDB: JVNDB-2016-009039 // CNNVD: CNNVD-201704-556 // NVD: CVE-2016-9335

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.9
problemtype:	CWE-321	Trust: 1.0

sources: VULHUB: VHN-98155 // JVNDB: JVNDB-2016-009039 // NVD: CVE-2016-9335

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201704-556

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201704-556

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-009039

PATCH

title:	Top Page	url:	http://www.redlion.net/	Trust: 0.8
title:	Patch for Red Lion Controls Sixnet-Managed Industrial Switches and Stride-Managed Ethernet Switches Hardcoded Encryption Key Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/90358	Trust: 0.6
title:	Red Lion Controls Sixnet-Managed Industrial Switches and AutomationDirect Stride-Managed Ethernet Switches Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=74787	Trust: 0.6

sources: CNVD: CNVD-2017-02585 // JVNDB: JVNDB-2016-009039 // CNNVD: CNNVD-201704-556

EXTERNAL IDS

db:	NVD	id:	CVE-2016-9335	Trust: 3.6
db:	ICS CERT	id:	ICSA-17-054-02	Trust: 3.2
db:	CNNVD	id:	CNNVD-201704-556	Trust: 1.1
db:	CNVD	id:	CNVD-2017-02585	Trust: 1.0
db:	JVNDB	id:	JVNDB-2016-009039	Trust: 0.8
db:	IVD	id:	7D7AE200-463F-11E9-BA56-000C29342CB1	Trust: 0.2
db:	IVD	id:	B4B525B8-C3BC-49AE-BA77-47D9BB95900F	Trust: 0.2
db:	VULHUB	id:	VHN-98155	Trust: 0.1
db:	VULMON	id:	CVE-2016-9335	Trust: 0.1

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-054-02	Trust: 3.3
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9335	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2016-9335	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/798.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: CNVD: CNVD-2017-02585 // VULHUB: VHN-98155 // VULMON: CVE-2016-9335 // JVNDB: JVNDB-2016-009039 // CNNVD: CNNVD-201704-556 // NVD: CVE-2016-9335

SOURCES

db:	IVD	id:	7d7ae200-463f-11e9-ba56-000c29342cb1
db:	IVD	id:	b4b525b8-c3bc-49ae-ba77-47d9bb95900f
db:	CNVD	id:	CNVD-2017-02585
db:	VULHUB	id:	VHN-98155
db:	VULMON	id:	CVE-2016-9335
db:	JVNDB	id:	JVNDB-2016-009039
db:	CNNVD	id:	CNNVD-201704-556
db:	NVD	id:	CVE-2016-9335

LAST UPDATE DATE

2024-11-23T23:09:05.612000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-02585	date:	2017-03-10T00:00:00
db:	VULHUB	id:	VHN-98155	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2016-9335	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2016-009039	date:	2018-07-05T00:00:00
db:	CNNVD	id:	CNNVD-201704-556	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2016-9335	date:	2024-11-21T03:00:58.820

SOURCES RELEASE DATE

db:	IVD	id:	7d7ae200-463f-11e9-ba56-000c29342cb1	date:	2017-03-10T00:00:00
db:	IVD	id:	b4b525b8-c3bc-49ae-ba77-47d9bb95900f	date:	2017-03-10T00:00:00
db:	CNVD	id:	CNVD-2017-02585	date:	2017-03-10T00:00:00
db:	VULHUB	id:	VHN-98155	date:	2018-05-09T00:00:00
db:	VULMON	id:	CVE-2016-9335	date:	2018-05-09T00:00:00
db:	JVNDB	id:	JVNDB-2016-009039	date:	2018-07-05T00:00:00
db:	CNNVD	id:	CNNVD-201704-556	date:	2017-03-23T00:00:00
db:	NVD	id:	CVE-2016-9335	date:	2018-05-09T13:29:00.247