Cambium Networks Services Server (CNSS) – Access Control Flaws
Cambium Networks Services Server (CNSS) – Official Cambium software tool to manage Cambium ePMP devices
The Cambium Networks Services (CNS) Server is a network management application provided by Cambium Networks to manage ePMP devices.
Centrally manage the distribution of software upgrades to your ePMP network via a standard web browser
Vulnerable versions – 184.108.40.206.3211 – (current at the time of reporting)
Fixed – a patch was released for 220.127.116.11.3211 which fixes these issues
Download Link(s) (need sign up)
Filename – cnsserver-18.104.22.168.3211-windows-installer.exe
Windows 2008 SP1 x64
- Install the application.
- Default install in C:\Program Files\cnsserver\.
- A web server is started on HTTP(S) 80/443, when the application is run. This port can be changed.
- Start Menu -> Programs -> Cambium Networks Services Server -> Start CNS Server Backend.
- Start Menu -> Programs -> Cambium Networks Services Server -> Launch CNS Server.
Access Control Flaws [No Auth Required]
It was found that the application does not implement strict access control. An unauthenticated, remote user can access the root-, sub-directories, and sensitive configuration files, directly from the server.
- Access User Hashes
a. http://IP/scripts/cnss_test_users.sql b. http://IP/scripts/cnss_seed_users.sql
- These files contain login names and password hashes for the application users.
Access Control Flaws – Capture credentials for Device Discovery [Post Authentication]
CNSS is used for discovering various other Cambium devices such as ePMP, and managing all deployed units centrally. In order to discover and access the devices, it relies upon SNMP (v2c) community strings and login credentials.
The CNSS application has 2 roles – administrators, and users. An ‘admin’ has full access to the application. A user in ‘users’ group has restricted access to functions in the application.
During the assessment, it was observed that:
- An admin user can access & make changes to default configuration for device discovery.
- The non-administrative account – ‘user’ – cannot access ‘Discover’ function configuration.
- However, it is possible for a ‘user’ to capture this configuration – default login credentials and SNMP strings for other devices – by accessing the following url:
- As seen above, SNMP strings & default admin login credentials are stored in clear-text. While this function does make life of a network admin or Cambium device admin easier, where there are hundreds of units deployed across the network, and to be managed remotely, it induces a high risk immediately.
- Considering that all Cambium models can be managed remotely using SNMP, and HTTP(S), and the above creds & SNMP strings may be deployed on most of the devices, a malicious actor can use these credentials to compromise Cambium devices throughout the network.