Cambium SNMP Security Vulnerabilities
Late last year, in 2016, I decided to take a look at SNMP implementation in Cambium ePMP appliances. After a few hours of checking out supported OIDs and corresponding device operations, the security issues stood out glaringly. The vendor, to the most part, attributed these (read: pass the ball) to SNMP v1/2c, which is inherently insecure; and IMO, still haven't actually fixed the core issues. Why is this significant? Because, simply put, anyone can easily exploit these flaws to take over ePMP devices, and gather sensitive information.
- Cambium ePMP 1000
- Cambium ePMP 2000
- Cambium PMP XXX
- Cambium ForceXXX models
- Potentially all other models
These vulnerabilities may can allow an attacker to access device configuration as well as make unauthorized changes to the device configuration.
Read on for details & poc.