CVE-2021-22667 – This vulnerability affects BB-ESWGP506-2SFP-T i... (How to Fix)

Q: What is the severity of CVE-2021-22667?

CVE-2021-22667 has a CVSS score of 9.8 (CRITICAL). This vulnerability affects BB-ESWGP506-2SFP-T industrial switches with hard-coded credentials, allowing attackers to gain unauthorized access and execute arbitrary code. Affected versions are 1.01.09 and prior, with versions 1.01.01 and prior specifically vulnerable to code execution. Organizations using these switches in industrial control systems are at risk.

📋 TL;DR

This vulnerability affects BB-ESWGP506-2SFP-T industrial switches with hard-coded credentials, allowing attackers to gain unauthorized access and execute arbitrary code. Affected versions are 1.01.09 and prior, with versions 1.01.01 and prior specifically vulnerable to code execution. Organizations using these switches in industrial control systems are at risk.

💻 Affected Systems

Products:

BB-ESWGP506-2SFP-T industrial Ethernet switch

Versions: Versions 1.01.09 and prior (code execution in 1.01.01 and prior)

Operating Systems: Embedded switch firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable due to hard-coded credentials. The vulnerability exists in the web interface authentication mechanism.

📦 What is this software?

Bb Eswgp506 2sfp T Firmware by Advantech

View all CVEs affecting Bb Eswgp506 2sfp T Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial network, unauthorized control of connected devices, data exfiltration, and potential physical damage to industrial processes.

🟠

Likely Case

Unauthorized access to switch configuration, network disruption, lateral movement within industrial network, and potential data theft.

🟢

If Mitigated

Limited impact if switches are isolated in segmented networks with strict access controls and monitoring.

🌐 Internet-Facing: HIGH - If switches are exposed to the internet, attackers can easily exploit hard-coded credentials without authentication.

🏢 Internal Only: HIGH - Even internally, attackers with network access can exploit this vulnerability to gain control of switches.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of hard-coded credentials and network access to the switch. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.01.10 or later

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-054-02

Restart Required: Yes

Instructions:

1. Download firmware version 1.01.10 or later from vendor. 2. Backup current configuration. 3. Upload new firmware via web interface. 4. Reboot switch. 5. Verify firmware version and change all credentials.

🔧 Temporary Workarounds

Network segmentation and isolation

all

Isolate affected switches in separate VLANs with strict firewall rules to limit access.

Disable web interface if not needed

all

Disable HTTP/HTTPS management interface and use console or SSH only if supported.

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the switch management interface
Monitor for authentication attempts and unusual configuration changes on affected switches

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > System Information) or console. Versions 1.01.09 and prior are vulnerable.

Check Version:

Via web interface: System > System Information. Via console: show version

Verify Fix Applied:

Verify firmware version is 1.01.10 or later and test that hard-coded credentials no longer work.

📡 Detection & Monitoring

Log Indicators:

Failed login attempts with default credentials
Successful logins from unexpected IPs
Configuration changes from unauthorized users

Network Indicators:

HTTP/HTTPS traffic to switch management interface from unusual sources
Unusual outbound connections from switch

SIEM Query:

source="switch_logs" AND (event_type="authentication" AND (username="admin" OR username="root")) OR (event_type="configuration_change")

📊 Metadata

CVE ID: CVE-2021-22667

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: February 24, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-054-02 Mitigation,Third Party Advisory,US Government Resource
https://www.zerodayinitiative.com/advisories/ZDI-21-593/ Third Party Advisory,VDB Entry
https://us-cert.cisa.gov/ics/advisories/icsa-21-054-02 Mitigation,Third Party Advisory,US Government Resource
https://www.zerodayinitiative.com/advisories/ZDI-21-593/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22667, you might also want to check these: