User Documentation

ManualsBrandsWeidmueller ManualsAutomation & SoftwareIE-SW-PL08MT-8TX

Security Advisory

Weidmüller Interface GmbH & Co. KG

Klingenbergstraße 26

32758 Detmold, Germany

T +49 5231 14-0

F +49 5231 14292083

www.weidmueller.com Page 3 of 6

Description

An issue was discovered on Weidmueller devices. Please see "Affected Products" for a list

of affected products.

Sensitive credentials data is transmitted in cleartext.

CVE ID

CVE-2019-16673

Vulnerability

Type

Unprotected Storage of Credentials (CWE-256)

CVSS

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Description

An issue was discovered on Weidmueller devices. Please see "Affected Products" for a list

of affected products.

Passwords are stored in cleartext and can be read by anyone with access to the device.

CVE ID

CVE-2019-16674

Vulnerability

Type

Predictable from Observable State (CWE-341)

CVSS

9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Description

An issue was discovered on Weidmueller devices. Please see "Affected Products" for a list

of affected products.

Authentication information used in a cookie is predictable and can lead to admin password

compromise when captured on the network.

Solution

For all potential vulnerabilities, customers can download a patched firmware to secure their switches properly.

Please download and install the latest firmware for your switch by following the procedure below:

Use the link www.weidmueller.com

1.) Enter within search field on the web page the product number of the switch you want to update and

press “enter”

2.) On next page expand the drop-down menu “show downloads”

3.) Download the respective firmware from the download table

4.) Install the firmware on your switch

Solution for CVE-2019-16672

a.) Solution for vulnerability, valid for switch series IE-SW-VL05M and IE-SW-VL08MT

To avoid the vulnerabilities referred to in this section, it is necessary to install patched firmware. After installation

of patched firmware the web interface can be accessed via encrypted communication using https, and web

interface access can be configured to ensure encrypted connections by selecting “https only”.

The respective web interface menu section for this setting can be reached via the following path:

Main Menu > Basic Settings > System: Set the “Web Configuration” to ”https only”