How to find Westermo devices on your network

Updated

Latest Westermo vulnerabilities #

Westermo has disclosed several vulnerabilities in its L210-F2G Lynx Industrial Ethernet switches. 

Two vulnerabilities, CVE-2024-35246 and CVE-2024-32943 allow attackers to create Denial-of-Service (DoS) conditions using specific network traffic. An additional vulnerability, CVE-2024-37183 could allow an attacker with local network access to sniff sensitive credentials in clear text.

CVE-2024-35246 and CVE-2024-32943 have a CVSS score of 8.7, while CVE-2024-37183 has a CVSS score of 5.7.

What is the impact? #

Successful exploitation of these vulnerabilities could allow an attacker to create a denial-of-service condition or steal sensitive information.

Are updates or workarounds available? #

No update addressing these vulnerabilities is currently available. The manufacturer recommends disabling the administrative web interface if possible.

How to find potentially vulnerable Westermo Lynx devices with runZero #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:"Westermo Lynx"

EDW-100 serial to ethernet converter vulnerability (May 2024) #

In May 2024, Westermo disclosed (direct PDF link) multiple vulnerabilities in their EDW-100 Serial to Ethernet converter product.

CVE-2024-36080 was rated critical with CVSS score of 9.8 due to a hidden administrator account with a hardcoded password. The credentials for the username root were hard-coded and exposed as strings that could trivially be extracted from the image.bin file in the firmware pages. Currently there is no way to change this password.

CVE-2024-36081
 was rated critical with CVSS score of 9.8. The vulnerability allowed an unauthenticated GET request that could download the configuration-file that contained the configuration, username, and passwords in clear-text.

CISA published the above information as part of ICS Advisory ICSA-24-151-04

What was the impact? #

Successful exploitation of these results on complete compromise of the device.

Are updates or workarounds available? #

At time of this writing Westermo had not posted software updates to correct these issues. They recommended implementing network segregation and perimeter protection in order to prevent abuse of these vulnerabilities. They also recommended replacing EDW-100 devices with Lynx DSS L105-S1.

How to find potentially vulnerable EDW-100 systems with runZero #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hardware:="EDW-100" OR (protocol:telnet AND banner:"Westermo EDW-100%")

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King

Written by Tom Sellers

Tom Sellers is a Principal Research Engineer at runZero. In his 25 years in IT and Security he has built, broken, and defended networks for companies in the finance, service provider, and security software industries. He has built and operated Internet scale scanning and honeypot projects. He is credited on many patents for network deception techonology. A strong believer in Open Source he has contributed to projects such as Nmap, Metasploit, and Recog.

More about Tom Sellers
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

Rapid Response
How to find PKIX-SSH services on your network
A fork of OpenSSH called PKIX-SSH was impacted by the recently discovered regreSSHion vulnerability. Here's how to find impacted services on your...
Rapid Response
How to find Kaspersky products with runZero
The US government has banned the sale of Kaspersky products and services. Here's how to find Kaspersky products in your network.
Rapid Response
How to find Microsoft Message Queuing (MSMQ) servers on your network
A new pre-auth use-after-free vulnerability in the Microsoft Message Queuing (MSMQ) service is rated critical. Find impacted systems now with runZero.
Rapid Response
How to find Johnson Controls Software House iStar Pro Door Controller devices on your network
Johnson Controls disclosed a vulnerability in their House iStar Pro Door Controller devices. See how to find it with runZero.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved