Back in April 2017, I posted SNMP vulnerabilities in Cambium ePMP devices.
ICS-CERT has now published the advisory for Cambium ePMP SNMP vulnerabilities:
Vendor: Cambium Networks
Vulnerabilities: Improper Access Control, Improper Privilege Management
Cambium ePMP product security, putting it mildly, needs considerable improvement. I will be publishing another set of fresh reports on Cambium devices soon. In case you are using ePMP boxes, or other Cambium appliances, please ensure:
1. your devices are not accessible publicly
2. default account passwords & SNMP community strings are changed to strong values
3. SNMP is filtered at the firewall.
Read on for details.
Cambium SNMP Security Vulnerabilities
Late last year, in 2016, I decided to take a look at SNMP implementation in Cambium ePMP appliances. After a few hours of checking out supported OIDs and corresponding device operations, the security issues stood out glaringly. The vendor, to the most part, attributed these (read: pass the ball) to SNMP v1/2c, which is inherently insecure; and IMO, still haven't actually fixed the core issues. Why is this significant? Because, simply put, anyone can easily exploit these flaws to take over ePMP devices, and gather sensitive information.
- Cambium ePMP 1000
- Cambium ePMP 2000
- Cambium PMP XXX
- Cambium ForceXXX models
- Potentially all other models
These vulnerabilities may can allow an attacker to access device configuration as well as make unauthorized changes to the device configuration.
Read on for details & poc.