Hirschmann "Classic Platform" switches reveal administrator password in SNMP community string by default

ID VU:507216
Type cert
Reporter CERT
Modified 2016-11-09T21:38:00



Hirschmann "Classic Platform" switches contain a password sync feature that syncs the switch administrator password with the SNMP community password, exposing the administrator password to attackers on the local network.


CWE-257: Storing Passwords in a Recoverable Format

For all Hirschmann (part of Belden) "Classic Platform" switches (which includes the MACH series workgroup switches, among others), by default, the switch administrator password is used to construct an SNMP community string that allows remote management of some switch configuration. Attackers on the local network with the ability to sniff network traffic may be able to recover the administrator password from the community string.

Belden has released security advisory BSECV-2016-2 which describes this issue in more detail.


An attacker on the local network may learn the switch administrator password from the SNMP community string, which is sent over the network in plaintext in SNMPv1 and SNMPv2.


Disable the SNMP Password Sync feature and use SNMPv3

Affected users may disable the password sync feature on their devices. For more information, please see Belden security advisory BSECV-2016-2. Users are also encouraged to use SNMPv3, which supports encrypted network traffic.

According to Hirschmann, the password sync feature was enabled by default to aid in network setup during the transition from SNMPv1/v2 to SNMPv3. Hirschmann has committed to disabling the password sync feature by default in future devices and firmware now that SNMPv3 is the default on their products.

Vendor Information


Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ Belden

Updated: January 28, 2016


__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Yokogawa Electric Corporation

Updated: November 09, 2016

Statement Date: March 31, 2016


__ Affected

Vendor Statement

YSAR-16-0001: Vnet/IP network switches reveal administrator password in SNMP community string

Vendor Information

Please note that the advisory below was updated in November 2016 with more information.

Vendor References

  • <http://www.yokogawa.com/dcs/security/ysar/dcs-ysar-index-en.htm>

CVSS Metrics

Group | Score | Vector
Base | 8.3 | AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal | 6.9 | E:F/RL:OF/RC:C
Environmental | 5.2 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND


  • <https://www.belden.com/resourcecenter/security/upload/Belden_Security_Advisory_BSECV-2016-2_1v0.pdf>
  • <http://www.hirschmann.com/en/Hirschmann_Produkte/Industrial_Ethernet/Workgroup-Switches_MACH100/index.phtml>


Thanks to Mark Jaques for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: | None
Date Public: | 2016-02-16
Date First Published: | 2016-02-16
Date Last Updated: | 2016-11-09 21:38 UTC
Document Revision: | 64