// For flags

CVE-2016-9335

 

Severity Score

10.0
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A hard-coded cryptographic key vulnerability was identified in Red Lion Controls Sixnet-Managed Industrial Switches running firmware Version 5.0.196 and Stride-Managed Ethernet Switches running firmware Version 5.0.190. Vulnerable versions of Stride-Managed Ethernet switches and Sixnet-Managed Industrial switches use hard-coded HTTP SSL/SSH keys for secure communication. Because these keys cannot be regenerated by users, all products use the same key. The attacker could disrupt communication or compromise the system. CVSS v3 base score: 10, CVSS vector string: (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Red Lion Controls recommends updating to SLX firmware Version 5.3.174.

Se ha identificado una vulnerabilidad de clave criptográfica embebida en Red Lion Controls Sixnet-Managed Industrial Switches con firmware en versión 5.0.196 y Stride-Managed Ethernet Switches con firmware en versión 5.0.190. Las versiones vulnerables de los switches Stride-Managed Ethernet y Sixnet-Managed Industrial emplean claves SSL/SSH HTTP embebidas para lograr una comunicación segura. Debido a que las claves no pueden ser regeneradas por los usuarios, todos los productos emplean la misma clave. El atacante podría interrumpir la comunicación o comprometer el sistema. Puntuación base de CVSS v3: 10, cadena de vector CVSS: (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Red Lion Controls recomienda actualizar a la versión de firmware SLX 5.3.174.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-11-16 CVE Reserved
  • 2018-05-09 CVE Published
  • 2024-09-16 CVE Updated
  • 2024-09-17 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-321: Use of Hard-coded Cryptographic Key
  • CWE-798: Use of Hard-coded Credentials
CAPEC
References (1)
URL Tag Source
https://ics-cert.us-cert.gov/advisories/ICSA-17-054-02 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redlion
Search vendor "Redlion"
 Sixnet-managed Industrial Switches Firmware
Search vendor "Redlion" for product "Sixnet-managed Industrial Switches Firmware"
 <= 5.0.196
Search vendor "Redlion" for product "Sixnet-managed Industrial Switches Firmware" and version " <= 5.0.196"
-
Affected
in Redlion
Search vendor "Redlion"
 Sixnet-managed Industrial Switches
Search vendor "Redlion" for product "Sixnet-managed Industrial Switches"
--
Safe
Redlion
Search vendor "Redlion"
 Stride-managed Ethernet Switches Firmware
Search vendor "Redlion" for product "Stride-managed Ethernet Switches Firmware"
 <= 5.0.190
Search vendor "Redlion" for product "Stride-managed Ethernet Switches Firmware" and version " <= 5.0.190"
-
Affected
in Redlion
Search vendor "Redlion"
 Stride-managed Ethernet Switches
Search vendor "Redlion" for product "Stride-managed Ethernet Switches"
--
Safe