PT-2018-18667 · Echelon · Echelon I.Lon 100+3
Daniel Crowley
·
Published
2018-07-24
·
Updated
2026-06-02
·
CVE-2018-8855
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Echelon SmartServer 1 versions all
Echelon SmartServer 2 versions prior to 4.11.007
Echelon i.LON 100 versions all
Echelon i.LON 600 versions all
Description
The issue concerns the default configuration of the devices, which allows unencrypted Web connections. Additionally, the devices can receive configuration and firmware updates via unsecure FTP.
Recommendations
For Echelon SmartServer 1, update the configuration to use encrypted Web connections and secure FTP for updates.
For Echelon SmartServer 2 versions prior to 4.11.007, update to release 4.11.007 or later to address the issue.
For Echelon i.LON 100, consider disabling unencrypted Web connections and unsecure FTP updates until a secure configuration can be implemented.
For Echelon i.LON 600, restrict the use of unsecure FTP for configuration and firmware updates until a secure alternative is available.
Fix
Cleartext Transmission of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Echelon Smartserver 1
Echelon Smartserver 2
Echelon I.Lon 100
Echelon I.Lon 600