January 5, 2018 Karn Ganeshen

Cambium Networks Services Server (CNSS) – Access Control Flaws

Cambium Networks Services Server (CNSS) – Access Control Flaws

Cambium Networks Services Server (CNSS) – Official Cambium software tool to manage Cambium ePMP devices

http://www.cambiumnetworks.com/products/software-tools/cns-server/

The Cambium Networks Services (CNS) Server is a network management application provided by Cambium Networks to manage ePMP devices.

Centrally manage the distribution of software upgrades to your ePMP network via a standard web browser

Vulnerable versions – 1.3.2.3.3211 – (current at the time of reporting)

Fixed – a patch was released for 1.3.2.3.3211 which fixes these issues

Download Link(s) (need sign up)
https://support.cambiumnetworks.com/files/cns%20server/
Filename – cnsserver-1.3.2.3.3211-windows-installer.exe

Release Notes
https://support.cambiumnetworks.com/file/8b93867b198decc1ad911f9865804f1e71804b17

Censys.io
https://censys.io/ipv4?q=%22CNS+Server%22

Tested on
Windows 2008 SP1 x64

Setup Process

  1. Install the application.
  2. Default install in C:\Program Files\cnsserver\.
  3. A web server is started on HTTP(S) 80/443, when the application is run. This port can be changed.
  4. Start Menu -> Programs -> Cambium Networks Services Server -> Start CNS Server Backend.
  5. Start Menu -> Programs -> Cambium Networks Services Server -> Launch CNS Server.

VULNERABILITY DETAILS

Access Control Flaws [No Auth Required]

It was found that the application does not implement strict access control. An unauthenticated, remote user can access the root-, sub-directories, and sensitive configuration files, directly from the server.

For example:

  1. Apache
    1. http://IP/httpd.conf
    2. http://IP/windows/apache2/conf/server.key
    3. http://IP/windows/apache2/conf/server.pem
    4. http://IP/windows/apache2/conf/httpd.conf
  2. PHP
    1. http://IP/stack/php/php.ini
    2. http://IP/windows/php/php.ini
  3. Postgresql
    a. http://IP/stack/postgresql/data/pg_hba.conf
    b. http://IP/stack/postgresql/data/postgresql.conf
  4. Logs
    a. http://IP/logs/
  5. Access User Hashes
    a. http://IP/scripts/cnss_test_users.sql b. http://IP/scripts/cnss_seed_users.sql

    1. These files contain login names and password hashes for the application users.

CVSS Score
8.5 (AV:N/AC:L/Au:N/C:C/I:P/A:N/E:H/RL:ND/RC:ND)


Access Control Flaws – Capture credentials for Device Discovery [Post Authentication]

CNSS is used for discovering various other Cambium devices such as ePMP, and managing all deployed units centrally. In order to discover and access the devices, it relies upon SNMP (v2c) community strings and login credentials.

The CNSS application has 2 roles – administrators, and users. An ‘admin’ has full access to the application. A user in ‘users’ group has restricted access to functions in the application.

During the assessment, it was observed that:

  1. An admin user can access & make changes to default configuration for device discovery.
  2. The non-administrative account – ‘user’ – cannot access ‘Discover’ function configuration.
  3. However, it is possible for a ‘user’ to capture this configuration – default login credentials and SNMP strings for other devices – by accessing the following url:
    1. http://IP/services/finder/admin/index.php
  1. As seen above, SNMP strings & default admin login credentials are stored in clear-text. While this function does make life of a network admin or Cambium device admin easier, where there are hundreds of units deployed across the network, and to be managed remotely, it induces a high risk immediately.
  2. Considering that all Cambium models can be managed remotely using SNMP, and HTTP(S), and the above creds & SNMP strings may be deployed on most of the devices, a malicious actor can use these credentials to compromise Cambium devices throughout the network.

CVSS Score
9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C/E:H/RL:ND/RC:ND)

+++++

~Cheers

Tagged: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *