Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

Westermo WeOS Hard-coded Certificate Vulnerability

Information

Severity

Severity

Critical

Family

Family

General

CVSSv2 Base

CVSSv2 Base

9.3

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Solution Type

Solution Type

Vendor Patch

Created

Created

7 years ago

Modified

Modified

5 years ago

Summary

Westermo WeOS uses the same SSL private key across different customers installations.

Insight

Insight

The SSL keys used by the switches to provide secure communications are hard coded. Malicious parties could obtain the key, stage a Man-in-the-Middle attack posing to be a WeOS device, and then obtain credentials entered by the end-user. With those credentials, the malicious party would have authenticated access to that device.

Affected Software

Affected Software

WeOS versions older than Version 4.19.0

Detection Method

Detection Method

Checks if a vulnerable version is present on the target host.

Solution

Solution

Westermo has released a patch that allows changing default certificates to custom certificates.

Common Vulnerabilities and Exposures (CVE)