December 19, 2017 Karn Ganeshen

Cambium ePMP and cnPilot Multiple Vulnerabilities

Back in Sep 2017, I reported multiple 0-day vulnerabilities, in the Cambium ePMP and cnPilot product lines, to Rapid7 for a coordinated disclosure. The disclosure went smooth and easier than I had expected. Thanks Tod, Jon, & team.!

Rapid7 report is now available here:

https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/

All versions prior to ePMP v3.5.1 and cnPilot v4.4, are affected.

CVEProductVulnerabilityStatus
CVE-2017-5254ePMP v3.5Privilege escalation via client-side protection bypassFixed in v3.5.1
CVE-2017-5255ePMP v3.5Privilege escalation via command injectionFixed in v3.5.1
CVE-2017-5256ePMP v3.5Privilege escalation via XSSFixed in v3.5.1
CVE-2017-5257ePMP v3.5Privilege escalation via XSS via SNMP OIDs using RW accessFixed in v3.5.1
CVE-2017-5258ePMP v3.5Privilege escalation XSS via SNMP configuration upload using RW accessFixed in v3.5.1
CVE-2017-5259cnPilot v4.3.2-R4Privilege escalation via backdoor accessFixed in v4.4
CVE-2017-5260cnPilot v4.3.2-R4Privilege escalation via direct object referenceFixed in v4.4
CVE-2017-5261cnPilot v4.3.2-R4Critical information disclosure via file path traversal in ReadfileFixed in v4.4
CVE-2017-5262cnPilot v4.3.2-R4Privilege escalation via SNMP RO access to sensitive OIDsFixed in v4.4
CVE-2017-5263cnPilot v4.3.2-R4Lack of CSRF controlsUnpatched
NonecnPilot v4.3.2-R4, ePMP v3.5,
ePMP 1000 Hotspot v3.3
Shipping suspicious binariesUnresolved

 

This disclosure brings to you  4 new cnPilot modules, 4 new ePMP modules, 5 updated ePMP modules, and 2 new mixins for Cambium ePMP and cnPilot, for future modules.

All 13 Metasploit modules are ready to play with now. Check them out:

~Cheers

Tagged: , , , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *