Hirschmann "Classic Platform" switches contain a password sync feature that syncs the switch administrator password with the SNMP community password, exposing the administrator password to attackers on the local network.
CWE-257: Storing Passwords in a Recoverable Format
For all Hirschmann (part of Belden) "Classic Platform" switches (which includes the MACH series workgroup switches, among others), by default, the switch administrator password is used to construct an SNMP community string that allows remote management of some switch configuration. Attackers on the local network with the ability to sniff network traffic may be able to recover the administrator password from the community string.
An attacker on the local network may learn the switch administrator password from the SNMP community string, which is sent over the network in plaintext in SNMPv1 and SNMPv2.
Disable the SNMP Password Sync feature and use SNMPv3
Yokogawa Electric Corporation
Thanks to Mark Jaques for reporting this vulnerability.
This document was written by Garret Wassermann.
|Date First Published:||2016-02-16|
|Date Last Updated:||2016-11-09 21:38 UTC|