Cambium

28 Jun 2017

[ICS] Cambium ePMP ICS-CERT Advisory Published

Back in April 2017, I posted SNMP vulnerabilities in Cambium ePMP devices. ICS-CERT has now published the advisory for Cambium ePMP SNMP vulnerabilities: https://ics-cert.us-cert.gov/advisories/ICSA-17-166-01 Vendor: Cambium Networks
Equipment: ePMP
Vulnerabilities: Improper Access Control, Improper Privilege Management
CVE-IDs
CVE-2017-7918
CVE-2017-7922 Cambium ePMP product security, putting it mildly, needs considerable improvement. I will be publishing another set of fresh reports on Cambium devices soon. In case you are using ePMP boxes, or other Cambium appliances, please ensure: 1. your devices are not accessible publicly
2. default account passwords & SNMP community strings are changed to strong values
3. SNMP is filtered at the firewall. Read on for details.

Read more

07 Apr 2017

[ICS] Cambium ePMP SNMP Security Vulnerabilities

Cambium SNMP Security Vulnerabilities

Late last year, in 2016, I decided to take a look at SNMP implementation in Cambium ePMP appliances. After a few hours of checking out supported OIDs and corresponding device operations, the security issues stood out glaringly. The vendor, to the most part, attributed these (read: pass the ball) to SNMP v1/2c, which is inherently insecure; and IMO, still haven't actually fixed the core issues. Why is this significant? Because, simply put, anyone can easily exploit these flaws to take over ePMP devices, and gather sensitive information.

AFFECTED PRODUCTS

  1. Cambium ePMP 1000
  2. Cambium ePMP 2000
  3. Cambium PMP XXX
  4. Cambium ForceXXX models
  5. Potentially all other models


IMPACT
These vulnerabilities may can allow an attacker to access device configuration as well as make unauthorized changes to the device configuration.

Read on for details & poc.

Read more

28 Nov 2015

Cambium ePMP 1000 – Multiple vulnerabilities

A couple of weeks back, I came across Cambium ePMP devices. I found multiple vulnerabilities in Cambium ePMP 1000 devices, and as always, attempted to work with the vendor. But you know how most vendor(s) handle a responsible disclosure. Poorly.

Hence, documenting these findings and proof of concepts now.

Read on for details.

Read more