OTPulse
FeedAboutContact

EnOcean SmartServer

Monitor6.3ICS-CERT ICSA-23-037-01Feb 7, 2023
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

EnOcean SmartServer v2.2 SR8/SP8 (4.12.006) with i.LON Vision contains hardcoded credentials (CWE-798) that could allow an attacker with local access and high privileges to gain unauthorized access to the server. The vulnerability is not remotely exploitable. No known public exploits exist. EnOcean has released SmartServer 3.5 Update 2 (v3.52.003) with fixes. Organizations running older versions should apply hardening controls and consider upgrading to a patched version.

What this means
What could happen
An attacker with local access and high privileges could gain unauthorized access to the SmartServer and potentially modify device configurations or access sensitive building automation data.
Who's at risk
Building automation and smart building operators using EnOcean SmartServer with i.LON Vision for environmental controls, lighting, HVAC, and occupancy management should review this vulnerability. This affects organizations running older v2.2 SR8/SP8 deployments.
How it could be exploited
An attacker must first obtain local access to the SmartServer system and have high-level administrative privileges. Once on the system, they could exploit hardcoded or default credentials to gain unauthorized access to the server.
Prerequisites
  • Local access to the SmartServer system
  • High-level administrative privileges on the host system
  • Knowledge of or access to default/hardcoded credentials
Hardcoded or default credentials (CWE-798)Local access required (limits remote exploitability)No patch available for affected version (v2.2 SR8/SP8)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
SmartServer with i.LON Vision: EnOcean SmartServer: v2.2 SR8/SP8 (4.12.006) with i.LON Vision v2.2 SR8/SP8 (4.12.006)v2.2 SR8/SP8 (4.12.006) with i.LON Vision v2.2 SR8/SP8 (4.12.006)3.5 Update 2 (v3.52.003)
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGApply EnOcean hardening guide recommendations to restrict access to SmartServer
HARDENINGImplement local access controls and restrict physical/network access to the SmartServer host
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade SmartServer to version 3.5 Update 2 (v3.52.003) or later
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/9701f08f-578b-4788-821a-5ca5abefeb04
EnOcean SmartServer | CVSS 6.3 - OTPulse