Belden Hirschmann GECKO (Update A)

Monitor7.1ICS-CERT ICSA-17-026-02AJan 26, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Hirschmann GECKO Lite Managed switches contain multiple vulnerabilities in the web management interface: path traversal (CWE-22) allows reading arbitrary files, server-side request forgery (CWE-918) enables unauthorized remote actions, cross-site request forgery (CWE-352) can trick administrators into issuing commands, and information disclosure (CWE-200) leaks configuration data. An attacker with network access to the management interface can intercept, modify, or extract configuration without authentication. Version 2.0.00 and earlier are affected.

What this means

What could happen

An attacker could intercept or modify configuration commands to the Hirschmann GECKO switch, disrupting network connectivity across your facility's control system devices. The attacker could also extract sensitive configuration data like access credentials.

Who's at risk

Water authorities and municipal electric utilities using Hirschmann GECKO Lite managed switches for industrial network infrastructure should be concerned. This affects any facility that relies on these switches to connect PLCs, RTUs, or other control devices over Modbus, Profinet, or other industrial protocols.

How it could be exploited

An attacker can send specially crafted requests to the web interface or management protocol of the switch without authentication. By exploiting path traversal and CSRF vulnerabilities, the attacker can read files, alter switch settings, or intercept legitimate administrator commands.

Prerequisites

Network access to the Hirschmann GECKO Lite switch management interface (typically HTTP port 80 or 443)
User (administrator or operator) must be logged in or visiting the switch interface in their browser for CSRF exploitation

Remotely exploitableNo authentication required for some vectorsLow complexity to exploitNo patch available (end-of-life product)Affects network infrastructure supporting safety and control systems

Exploitability

Moderate exploit probability (EPSS 1.4%)

Affected products (1)

ProductAffected VersionsFix Status

Hirschmann GECKO Lite Managed switch:≤ 2.0.00No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to the Hirschmann GECKO switch management interface using firewall rules; only allow access from your engineering workstations or a dedicated management network

WORKAROUNDDisable the web management interface (HTTP/HTTPS) if you use only Modbus TCP or Profinet for device communication; manage the switch via command-line or local console only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIsolate the Hirschmann GECKO switch on a separate management VLAN and restrict traffic to trusted administrative devices only

Mitigations - no patch available

0/1

Hirschmann GECKO Lite Managed switch: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGDeploy an industrial network monitoring solution to detect unauthorized configuration changes or suspicious requests to the switch

CVEs (4)

CVE-2017-5163 CVE-2017-6036 CVE-2017-6038 CVE-2017-6040

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8802f016-0d45-4557-adad-f8f0bba4ab90