CVE-2016-8378 – This vulnerability in Lynxspring JENEsys BAS Br... (How to Fix)

Q: What is the severity of CVE-2016-8378?

CVE-2016-8378 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Lynxspring JENEsys BAS Bridge exposes database credentials due to insufficient protection mechanisms. Attackers can potentially access and extract sensitive authentication information, affecting all systems running vulnerable versions of this building automation software.

📋 TL;DR

This vulnerability in Lynxspring JENEsys BAS Bridge exposes database credentials due to insufficient protection mechanisms. Attackers can potentially access and extract sensitive authentication information, affecting all systems running vulnerable versions of this building automation software.

💻 Affected Systems

Products:

Lynxspring JENEsys BAS Bridge

Versions: 1.1.8 and older

Operating Systems: Not specified, likely embedded/industrial systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects building automation systems used for HVAC, lighting, and other building controls.

📦 What is this software?

Jenesys Bas Bridge by Lynxspring

View all CVEs affecting Jenesys Bas Bridge →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to gain administrative access to building automation systems, potentially manipulating environmental controls, security systems, or causing physical damage.

🟠

Likely Case

Credential theft leading to unauthorized access to building management systems, data exfiltration, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation and credential rotation, though the vulnerability still exists in the software.

🌐 Internet-Facing: HIGH if exposed to internet, as credential exposure could lead to remote compromise.

🏢 Internal Only: HIGH even internally, as credential exposure enables privilege escalation and lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Credential exposure vulnerabilities typically have low exploitation complexity once access to the database is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions newer than 1.1.8

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-16-320-01

Restart Required: Yes

Instructions:

1. Contact Lynxspring for updated software version. 2. Backup current configuration. 3. Install updated version following vendor instructions. 4. Restart the system. 5. Verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate JENEsys BAS Bridge systems from general network traffic and internet access

Credential Rotation

all

Change all database and system credentials used by the application

🧯 If You Can't Patch

Implement strict network access controls to limit who can access the BAS Bridge systems
Monitor for unusual database access patterns and credential usage

🔍 How to Verify

Check if Vulnerable:

Check software version in administration interface or configuration files. If version is 1.1.8 or older, system is vulnerable.

Check Version:

Check vendor documentation for version checking method specific to JENEsys BAS Bridge

Verify Fix Applied:

Verify software version shows newer than 1.1.8 and test database credential access controls.

📡 Detection & Monitoring

Log Indicators:

Unusual database access patterns
Multiple failed authentication attempts
Unexpected credential changes

Network Indicators:

Unusual traffic to/from BAS Bridge database ports
External connections to internal building automation systems

SIEM Query:

source="bas_bridge" AND (event_type="database_access" OR event_type="authentication_failure")

📊 Metadata

CVE ID: CVE-2016-8378

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-255

Published: February 13, 2017

Last Updated: April 20, 2025

🔗 References

http://www.securityfocus.com/bid/94344 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-16-320-01 Mitigation,Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/94344 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-16-320-01 Mitigation,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-8378, you might also want to check these: