December 19, 2017 Karn Ganeshen

Cambium ePMP and cnPilot Multiple Vulnerabilities

Back in Sep 2017, I reported multiple 0-day vulnerabilities, in the Cambium ePMP and cnPilot product lines, to Rapid7 for a coordinated disclosure. The disclosure went smooth and easier than I had expected. Thanks Tod, Jon, & team.!

Rapid7 report is now available here:

https://blog.rapid7.com/2017/12/19/r7-2017-25-cambium-epmp-and-cnpilot-multiple-vulnerabilities/

All versions prior to ePMP v3.5.1 and cnPilot v4.4, are affected.

CVE Product Vulnerability Status
CVE-2017-5254 ePMP v3.5 Privilege escalation via client-side protection bypass Fixed in v3.5.1
CVE-2017-5255 ePMP v3.5 Privilege escalation via command injection Fixed in v3.5.1
CVE-2017-5256 ePMP v3.5 Privilege escalation via XSS Fixed in v3.5.1
CVE-2017-5257 ePMP v3.5 Privilege escalation via XSS via SNMP OIDs using RW access Fixed in v3.5.1
CVE-2017-5258 ePMP v3.5 Privilege escalation XSS via SNMP configuration upload using RW access Fixed in v3.5.1
CVE-2017-5259 cnPilot v4.3.2-R4 Privilege escalation via backdoor access Fixed in v4.4
CVE-2017-5260 cnPilot v4.3.2-R4 Privilege escalation via direct object reference Fixed in v4.4
CVE-2017-5261 cnPilot v4.3.2-R4 Critical information disclosure via file path traversal in Readfile Fixed in v4.4
CVE-2017-5262 cnPilot v4.3.2-R4 Privilege escalation via SNMP RO access to sensitive OIDs Fixed in v4.4
CVE-2017-5263 cnPilot v4.3.2-R4 Lack of CSRF controls Unpatched
None cnPilot v4.3.2-R4, ePMP v3.5,
ePMP 1000 Hotspot v3.3
Shipping suspicious binaries Unresolved

 

This disclosure brings to you  4 new cnPilot modules, 4 new ePMP modules, 5 updated ePMP modules, and 2 new mixins for Cambium ePMP and cnPilot, for future modules.

All 13 Metasploit modules are ready to play with now. Check them out:

~Cheers

Tagged: , , , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *