Echelon SmartServer 1, SmartServer 2, SmartServer 3, i.LON 100, i.LON 600 (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSA-18-200-03Jul 19, 2018

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Echelon SmartServer and i.LON devices allow remote code execution due to insufficient input validation, weak authentication mechanisms, plaintext credential storage, and unencrypted communications. Affected versions: SmartServer 1 (all versions), SmartServer 2 (versions before 4.11.007), i.LON 100 (all versions), and i.LON 600 (all versions). Successful exploitation allows an unauthenticated attacker on the network to execute arbitrary code on the device, potentially compromising the integrity and availability of networked industrial devices and systems.

What this means

What could happen

An attacker with network access could execute arbitrary code on the device, potentially altering network communication settings, process parameters, or disabling monitoring and control functions across connected industrial networks.

Who's at risk

Water utilities, electric utilities, and other infrastructure operators using Echelon SmartServer or i.LON integration devices to manage networked sensors and controllers. This includes any automation system relying on these gateways for LONWORKS network communication, such as building automation, HVAC control, or process monitoring systems.

How it could be exploited

An attacker on the network sends a specially crafted request to the device's web service or network protocol handler. The device processes the request without proper authentication or input validation, allowing the attacker to execute arbitrary code and take control of the device's functions.

Prerequisites

Network access to the device on its standard ports (typically HTTP/HTTPS or proprietary protocols)
No credentials required for exploitation of primary vulnerabilities
Device must be reachable from the attacker's network segment

remotely exploitableno authentication requiredlow complexityno patch available for SmartServer 1, i.LON 100, i.LON 600affects network integration and control devicesdefault credentials may exist

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (4)

1 with fix3 EOL

ProductAffected VersionsFix Status

SmartServer 1: all versionsAll versionsNo fix (EOL)

SmartServer 2: all< 4.11.0074.11.007

i.LON 100: all versionsAll versionsNo fix (EOL)

i.LON 600: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/4

WORKAROUNDPlace all SmartServer, i.LON 100, i.LON 600, and any servers using these services behind a firewall or on a dedicated VLAN isolated from other devices and the business network

HARDENINGChange default username and password during initial installation

HARDENINGDisable unencrypted services and enable encrypted services (TLS/SSL) for SmartServer and i.LON devices

WORKAROUNDFor CVE-2018-10627, modify the WebParams.dat file per Echelon's security advisory ESA-20180823-01

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXInstall SmartServer 2 Service Pack 7 (Version 4.11.007) to patch CVE-2018-8859, CVE-2018-8851, and CVE-2018-8855

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SmartServer 1: all versions, i.LON 100: all versions, i.LON 600: all versions. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate control system networks from the business network and prevent internet-facing access

CVEs (4)

CVE-2018-10627 CVE-2018-8859 CVE-2018-8851 CVE-2018-8855

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4e0c3a1b-9c52-477f-bd69-00f24d626332

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.