Eaton Lighting Systems EG2 Web Control Authentication Bypass Vulnerabilities

Monitor7.5ICS-CERT ICSA-16-061-03Dec 3, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Eaton EG2 Web Control version V4.04P and earlier contains authentication bypass vulnerabilities (CWE-565, CWE-312). An attacker can bypass the web interface authentication mechanism to gain unauthorized access and modify lighting control settings without valid credentials.

What this means

What could happen

An attacker could bypass authentication to the EG2 Web Control interface and modify lighting configurations, schedules, or control settings without valid credentials, disrupting normal facility lighting operations.

Who's at risk

Facility managers and operators at buildings with Eaton EG2 Web Control lighting systems. This affects any organization using centralized web-based lighting control, including office buildings, industrial facilities, commercial spaces, and municipal buildings.

How it could be exploited

An attacker with network access to the EG2 Web Control's web interface port can send specially crafted requests that bypass authentication mechanisms. No valid credentials are needed. Once authenticated, the attacker can alter lighting system settings and schedules.

Prerequisites

Network access to the EG2 Web Control web interface port (typically HTTP/HTTPS)
No valid credentials required

remotely exploitableno authentication requiredlow complexityno patch available

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

EG2 Web Control: <=V4.04P≤ V4.04PNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGRestrict network access to the EG2 Web Control web interface using firewall rules. Only allow access from authorized engineering workstations and administrative networks.

HARDENINGImplement network segmentation to isolate the EG2 Web Control from general IT networks and untrusted sources.

Mitigations - no patch available

0/1

EG2 Web Control: <=V4.04P has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor and log all access attempts to the EG2 Web Control web interface for signs of unauthorized access.

CVEs (2)

CVE-2016-2272 CVE-2016-0871

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/18fd7d6a-465e-4bba-8730-447a758cfa8f