search menu icon-carat-right cmu-wordmark

CERT Coordination Center


IntelliCom NetBiter devices have default HICP passwords

Vulnerability Note VU#902793

Original Release Date: 2010-04-06 | Last Revised: 2010-04-29

Overview

IntelliCom NetBiter devices ship with default passwords for the HICP network configuration service. An attacker with network access could change network settings and prevent legitimate users from accessing the HICP service.

Description

IntelliCom NetBiter products use the proprietary HICP protocol to configure ethernet and IP network settings. NetBiter devices ship with default, well-known HICP passwords. The password is not hard-coded (persistent) as described in the original post by Rubén Santamarta. The password is set by default but can be changed.

Impact

An attacker with network access could change network settings and prevent legitimate users from accessing the HICP service. HICP transmits the password in plain text, so the attacker may also be able to monitor HICP communication and read the changed password.

Solution

Change default passwords

Change the default password before deploying NetBiter devices in an production environment. Please see IntelliCom Security Bulletin ISFR-4404-0008.


Restrict access

Restrict access to SCADA, DCS, and other control system networks, particularly networks using open protocols like HICP.

Vendor Information

902793
Expand all

IntelliCom Innovation AB

Updated:  April 29, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see IntelliCom Security Bulletin ISFR-4404-0008.

Vendor References

http://support.intellicom.se/getfile.cfm?FID=151

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This information was published by Rubén Santamarta. The default password is also documented in NetBiter user manuals. ICS-CERT researched this vulnerability and confirmed that the HICP password can be changed and is not persistent.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2009-4463
Date Public: 2009-12-12
Date First Published: 2010-04-06
Date Last Updated: 2010-04-29 21:05 UTC
Document Revision: 20

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.