Cambium Network Updater Tool (CNUT) – Unauthenticated File Path Traversal
Cambium Network Updater Tool (CNUT) -> Official Cambium software tool to manage Cambium Devices
The Network Updater Tool is a free-of-charge tool that applies packages to upgrade the device types that the release notes for the release that you are using list as supported. Because this tool is available, an operator does not need to visit each module in the network or even each AP where they would otherwise use the SM Autoupdate capability of the radios.
Vulnerable versions – 4.11.2 – (current at the time of reporting)
Fixed – versions > 4.11.2
Windows 7 x86
- Install the application.
- Default install in C:\Cambium\NetworkUpdater\.
- A web server is started on HTTP(S) 80/443, when the application is run.
File Path Traversal [No Auth Required]
A File path traversal vulnerability was identified in the CNUT application.
When CNUT application is started, it runs a web server on HTTP(S) port 80/443. CNUT is a Java application. It was found that the web server does not perform strict input validation, and uses input data for filesystem operation.
Therefore, it is possible for an un-authenticated user to read arbitrary files off of the file system by issuing the following request:
For example, the following request can be used to read the Windows win.ini file:
On Command Terminal:
; for 16-bit app support
When submitting the crafted url via the browser, the forward slash (/) character needs to be encoded. The url will then be: