Cambium ePMP and cnPilot Multiple Vulnerabilities

Back in Sep 2017, I reported multiple 0-day vulnerabilities, in the Cambium ePMP and cnPilot product lines, to Rapid7 for a coordinated disclosure. The disclosure went smooth and easier than I had expected. Thanks Tod, Jon, & team.!

Rapid7 report is now available here:

https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/

All versions prior to ePMP v3.5.1 and cnPilot v4.4, are affected. This disclosure brings to you 10 CVEs4 new cnPilot modules, 4 new ePMP modules, 5 updated ePMP modules, and 2 new mixins for Cambium ePMP and cnPilot, for future modules.

All 13 Metasploit modules are ready to play with now.

Read on for details..

read more

[ICS] Trihedral VTScada (more) Multiple Vulnerabilities

Vendor: Trihedral
Equipment: VTScada
Vulnerabilities: Improper Access Control, Uncontrolled Search Path Element

ICS-CERT Advisory:
https://ics-cert.us-cert.gov/advisories/ICSA-17-304-02

CVE-ID:
CVE-2017-14029
CVE-2017-14031

AFFECTED PRODUCTS

Trihedral Engineering Limited reports that the vulnerability affects the following versions of the VTScada HMI and SCADA software:

  • VTScada 11.3.03 and prior.

IMPACT
Successful exploitation of these vulnerabilities may allow execution of arbitrary code.

Read on for details.

read more

[ICS] Moxa MXview – Unquoted Search Path Vulnerability

Vendor: Moxa
Equipment: MXview
Vulnerability: Unquoted Search Path

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-18-011-02

CVE-ID
CVE-2017-14030

AFFECTED PRODUCTS
The following versions of MXview, network management software, are affected:

  • MXview v2.8 and prior.

IMPACT
Successful exploitation of this vulnerability may allow an authenticated, but non-privileged, local user to execute arbitrary code with elevated privileges.

Read on for details.

read more

Cambium Networks Services Server (CNSS) – Access Control Flaws

Cambium Networks Services Server (CNSS) - Access Control Flaws

This 0-day report was submitted to Cambium via Beyond Trust's SSD program and resolved back in November 2017. Forgot to push this out. Publishing the report now.

Cambium Networks Services Server (CNSS) - Official Cambium software tool to manage Cambium ePMP devices

http://www.cambiumnetworks.com/products/software-tools/cns-server/

The Cambium Networks Services (CNS) Server is a network management application provided by Cambium Networks to manage ePMP devices.

Centrally manage the distribution of software upgrades to your ePMP network via a standard web browser

Vulnerable versions – 1.3.2.3.3211 - (current at the time of reporting)

Fixed - a patch was released for 1.3.2.3.3211 which fixes these issues

Vulnerability Summary

  1. It is possible for an un-authenticated user to access sensitive configuration files from the server.
  2. It is possible for a low-privileged user to access restricted, sensitive information.

Read on for details.

read more

Cambium Network Updater Tool (CNUT) – Unauthenticated File Path Traversal

Cambium Network Updater Tool (CNUT) - File Path Traversal

This 0-day report was submitted to Cambium via Beyond Trust's SSD program and resolved back in November 2017. Forgot to push this out. Publishing the report now.

Cambium Network Updater Tool (CNUT) - Official Cambium software tool to manage Cambium Devices

The Network Updater Tool is a free-of-charge tool that applies packages to upgrade the device types that the release notes for the release that you are using list as supported. Because this tool is available, an operator does not need to visit each module in the network or even each AP where they would otherwise use the SM Autoupdate capability of the radios.

Vulnerable versions – 4.11.2 - (current at the time of reporting)

Fixed - versions > 4.11.2

Vulnerability Summary
It is possible for an un-authenticated user to read arbitrary files off of the file system.

Read on for details.

read more

[ICS] Progea Movicon SCADA/HMI Vulnerabilities

Vendor: Progea
Equipment: Movicon SCADA/HMI
Vulnerability: Uncontrolled Search Path Element, Unquoted Search Path or Element

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-290-01

CVE-ID
CVE-2017-14017
CVE-2017-14019

AFFECTED PRODUCTS
The following versions of Movicon HMI, an HMI software platform, are affected:

  • Movicon Version 11.5.1181 and prior.

 

IMPACT
Successful exploitation of these vulnerabilities could allow privilege escalation or arbitrary code execution.

Read on for details.

read more

[ICS] JanTek JTC-200 RS232-NET Converter Advisory Published

Vendor: JanTek
Equipment: JTC-200
Vulnerabilities: Cross-site Request Forgery, Improper Authentication

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-283-02

CVE-ID
CVE-2016-5789
CVE-2016-5791

AFFECTED PRODUCTS

The following versions of JTC-200, a TCP/IP converter, are affected:

  • JTC-200 all versions.


IMPACT

Successful exploitation of these vulnerabilities could allow for remote code execution on the device with elevated privileges.

Read on for details.

read more

[ICS] SpiderControl SCADA Web Server Improper Privilege Management Vulnerability

Vendor: SpiderControl
Equipment: SCADA Web Server
Vulnerability: Improper Privilege Management

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-250-01

CVE-ID
CVE-2017-12728

AFFECTED PRODUCTS

The following versions of SCADA Web Server, a software management platform, are affected:
SCADA Web Server Version 2.02.0007 and prior.

IMPACT
Successful exploitation of this vulnerability could allow authenticated system users to escalate their privileges under certain conditions.

Read on for details.

read more

[ICS] mySCADA myPRO Unquoted Search Path Vulnerability

Vendor: mySCADA
Equipment: myPRO
Vulnerability: Unquoted Search Path

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-255-01

CVE-ID
CVE-2017-12694

AFFECTED PRODUCTS
The following versions of myPRO, an HMI/SCADA management platform, are affected:

  • myPRO Versions 7.0.26 and prior.


IMPACT

Successful exploitation of this vulnerability may allow an authenticated, but non-privileged, local user to execute arbitrary code with elevated privileges.

Read on for details.

read more

[ICS] SpiderControl SCADA Web Server – Directory Traversal Vulnerability

Vendor: SpiderControl
Equipment: SCADA Web Server
Vulnerability: Directory Traversal

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-234-03

ZDI Advisory:
http://www.zerodayinitiative.com/advisories/ZDI-17-695

CVE-ID
CVE-2017-12694

AFFECTED PRODUCTS
The following versions of SpiderControl SCADA Web Server, a software management platform, are affected:

  • SCADA Web Server < version 2.02.0100


IMPACT

Successful exploitation of this vulnerability allows an attacker to gain read access to system files through directory traversal.

Read on for details.

read more