How to find Westermo EDW-100 devices

The latest Westeromo vulnerabilities

Westermo has disclosed (direct link to PDF) multiple security vulnerabilities in its EDW-100 serial to Ethernet converter product.

CVE-2024-36080 is rated critical with a CVSS score of 9.8 thanks to a hidden administrator account with a hard-coded password. Credentials for the username source are hard-coded and exposed as strings that can be easily extracted from the file image.bin file on the firmware pages. It is currently not possible to change this password.

CVE-2024-36081 is rated critical with a CVSS score of 9.8. The vulnerability allows an unauthenticated GET request that can download a configuration file containing configuration, username, and passwords in clear text.

CISA has published the above information under ICS Advisory ICSA-24-151-04

What is the impact?

Successful exploitation of these results after the device has been completely compromised.

Are there updates or workarounds available?

At this time, Westermo has not released software updates to fix these issues. They recommend implementing network segregation and perimeter protection to prevent abuse of these vulnerabilities. They also recommend replacing EDW-100 devices with Lynx DSS L105-S1.

How to find potentially vulnerable systems with runZero?

In the Asset Inventory, use the following query to locate systems that are running potentially vulnerable software:

hardware:="EDW-100" OR (protocol:telnet AND banner:"Westermo EDW-100%")

*** This is a Security Bloggers Network syndicated blog from runZero Blog written by Tom Sellers. Read the original post at: https://www.runzero.com/blog/how-to-find-westermo-edw-100-devices/