Westermo L210-F2G

Monitor7.5ICS-CERT ICSA-24-172-03Jun 20, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Westermo L210-F2G Lynx device (firmware 4.21.0) contains vulnerabilities that could cause denial of service through resource exhaustion or remote code execution. Two CWEs are associated: CWE-319 (cleartext transmission of sensitive data) and CWE-799 (improper control of interaction frequency, i.e., rate limiting). The WebGUI accepts HTTP connections unencrypted, transmitting credentials and session IDs in cleartext. The device's WebGUI and CLI lack proper rate limiting on login attempts, allowing attackers to conduct denial-of-service attacks.

What this means

What could happen

An attacker could crash the L210-F2G device, causing the firewall to stop processing traffic and potentially disrupting critical network connectivity. In some cases, remote code execution could be achieved, allowing the attacker to take full control of the device and alter network traffic or access connected systems.

Who's at risk

This advisory affects organizations using the Westermo L210-F2G Lynx industrial firewall, which is commonly deployed in critical infrastructure networks, manufacturing plants, utilities, and remote site connectivity. Network administrators responsible for industrial control systems, remote access gateways, and critical network perimeter security should prioritize this vulnerability.

How it could be exploited

An attacker on the network (or internet, if the device is exposed) can connect to the WebGUI on HTTP port 80 or SSH on port 22. For denial of service, the attacker repeatedly attempts login, exhausting the device's resources until it crashes. For credential theft, the attacker intercepts HTTP traffic to capture unencrypted login credentials and session IDs. If credentials are obtained, the attacker gains administrative access and can execute commands.

Prerequisites

Network access to HTTP port 80 (WebGUI) or SSH port 22 (CLI)
No credentials required for denial-of-service attack (repeated login attempts)
Valid administrative credentials required for remote code execution via authenticated access

Remotely exploitableNo authentication required for denial-of-serviceLow complexity attackCleartext transmission of credentialsAffects network firewall (critical infrastructure)No patch available

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

L210-F2G Lynx: 4.21.04.21.0No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDDisable HTTP access to the WebGUI and enforce HTTPS only for all administrative connections

WORKAROUNDDisable WebGUI access on external communication interfaces or disable the WebGUI entirely if not required for production operations

WORKAROUNDDisable or restrict SSH CLI access on external communication interfaces to prevent login brute-force denial-of-service attacks

Mitigations - no patch available

0/3

L210-F2G Lynx: 4.21.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to ensure the L210-F2G is not accessible from the internet or untrusted networks; place the device behind an additional firewall or access control layer

HARDENINGUse a VPN or other secure out-of-band management channel for remote administrative access to the device

HARDENINGMonitor for and block repeated failed login attempts to the WebGUI and CLI; implement rate limiting at the network edge if the device cannot be configured to do so

CVEs (3)

CVE-2024-37183 CVE-2024-35246 CVE-2024-32943

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/47b87931-443e-4581-b507-539242711315