Echelon SmartServer 1, SmartServer 2, SmartServer 3, i.LON 100, i.LON 600 (Update A)

CVSS 9.8 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow for remote code execution on the device.

CVE-2018-10627 CVE-2018-8859 CVE-2018-8851 CVE-2018-8855

For CVE-2018-10627, Echelon recommends affected users modify the WebParams.dat file.
SmartServer 2 Service Pack 7 is install
All SmartServer and i.LON 600 devices along with any servers using the SmartServer and i.Lon services should be installed behind a firewall or on a VLAN without other devices.
Change the username and password during the initial installation of the affected products.
Disable unencrypted services and secure encrypted services for the SmartServer or i.LON 100.
For CVE-2018-8859, Echelon recommends affected users install the i.LON 600 and any servers using the i.LON 600 behind a firewall or on a VLAN without other devices.
Echelon recommends that affected users install SmartServer 2 Service Pack 7 (Version 4.11.007), to mitigate CVE-2018-8859, CVE-2018-8851, and CVE-2018-8855

Echelon

Echelon · SmartServer 1 vers:all/*

Echelon · i.LON 600 vers:all/*

Echelon · SmartServer 2 < 4.11.007

Echelon · i.LON 100 vers:all/*

Commercial Facilities, Critical Manufacturing, Information Technology

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.