Hirschmann HiLCOS Layer-2 Firewall Multicast and Broadcast Traffic Filtering Vulnerability

A vulnerability exists in Hirschmann HiLCOS products OpenBAT, BAT450, WLC, and BAT867, specifically in versions through 9.12.5600-RU1 for the first three products and through 9.14.5600-RU1 for BAT867. The issue arises because the Layer-2 Firewall does not properly filter IPv4 multicast and broadcast traffic when management IP address filtering is turned off. This misconfiguration allows multicast and broadcast packets that should be blocked to bypass the firewall entirely. As a result, an attacker with network access could inject or intercept multicast and broadcast traffic that should have been filtered out.

Impact

Exploitation of this vulnerability could lead to improper handling of multicast and broadcast traffic, allowing unauthorized injection or observation of such packets on the network.

Remediation

Users are advised to update to HiLCOS version 9.12.5600-RU1 or higher for OpenBAT, BAT450, and WLC, and to version 9.14.5600-RU1 or higher for BAT867. As a temporary workaround, the 'Filter Management Packets' option can be activated to restore proper filtering for packets directed to the device's management IP address.