Cambium

05 Jan 2018

Cambium Networks Services Server (CNSS) – Access Control Flaws

Cambium Networks Services Server (CNSS) - Access Control Flaws

This 0-day report was submitted to Cambium via Beyond Trust's SSD program and resolved back in November 2017. Forgot to push this out. Publishing the report now.

Cambium Networks Services Server (CNSS) - Official Cambium software tool to manage Cambium ePMP devices

http://www.cambiumnetworks.com/products/software-tools/cns-server/

The Cambium Networks Services (CNS) Server is a network management application provided by Cambium Networks to manage ePMP devices.

Centrally manage the distribution of software upgrades to your ePMP network via a standard web browser

Vulnerable versions – 1.3.2.3.3211 - (current at the time of reporting)

Fixed - a patch was released for 1.3.2.3.3211 which fixes these issues

Vulnerability Summary

  1. It is possible for an un-authenticated user to access sensitive configuration files from the server.
  2. It is possible for a low-privileged user to access restricted, sensitive information.

Read on for details.

Read more

05 Jan 2018

Cambium Network Updater Tool (CNUT) – Unauthenticated File Path Traversal

Cambium Network Updater Tool (CNUT) - File Path Traversal

This 0-day report was submitted to Cambium via Beyond Trust's SSD program and resolved back in November 2017. Forgot to push this out. Publishing the report now.

Cambium Network Updater Tool (CNUT) - Official Cambium software tool to manage Cambium Devices

The Network Updater Tool is a free-of-charge tool that applies packages to upgrade the device types that the release notes for the release that you are using list as supported. Because this tool is available, an operator does not need to visit each module in the network or even each AP where they would otherwise use the SM Autoupdate capability of the radios.

Vulnerable versions – 4.11.2 - (current at the time of reporting)

Fixed - versions > 4.11.2

Vulnerability Summary
It is possible for an un-authenticated user to read arbitrary files off of the file system.

Read on for details.

Read more

28 Jun 2017

[ICS] Cambium ePMP ICS-CERT Advisory Published

Back in April 2017, I posted SNMP vulnerabilities in Cambium ePMP devices. ICS-CERT has now published the advisory for Cambium ePMP SNMP vulnerabilities: https://ics-cert.us-cert.gov/advisories/ICSA-17-166-01 Vendor: Cambium Networks
Equipment: ePMP
Vulnerabilities: Improper Access Control, Improper Privilege Management
CVE-IDs
CVE-2017-7918
CVE-2017-7922 Cambium ePMP product security, putting it mildly, needs considerable improvement. I will be publishing another set of fresh reports on Cambium devices soon. In case you are using ePMP boxes, or other Cambium appliances, please ensure: 1. your devices are not accessible publicly
2. default account passwords & SNMP community strings are changed to strong values
3. SNMP is filtered at the firewall. Read on for details.

Read more

07 Apr 2017

[ICS] Cambium ePMP SNMP Security Vulnerabilities

Cambium SNMP Security Vulnerabilities

Late last year, in 2016, I decided to take a look at SNMP implementation in Cambium ePMP appliances. After a few hours of checking out supported OIDs and corresponding device operations, the security issues stood out glaringly. The vendor, to the most part, attributed these (read: pass the ball) to SNMP v1/2c, which is inherently insecure; and IMO, still haven't actually fixed the core issues. Why is this significant? Because, simply put, anyone can easily exploit these flaws to take over ePMP devices, and gather sensitive information.

AFFECTED PRODUCTS

  1. Cambium ePMP 1000
  2. Cambium ePMP 2000
  3. Cambium PMP XXX
  4. Cambium ForceXXX models
  5. Potentially all other models


IMPACT
These vulnerabilities may can allow an attacker to access device configuration as well as make unauthorized changes to the device configuration.

Read on for details & poc.

Read more

28 Nov 2015

Cambium ePMP 1000 – Multiple vulnerabilities

A couple of weeks back, I came across Cambium ePMP devices. I found multiple vulnerabilities in Cambium ePMP 1000 devices, and as always, attempted to work with the vendor. But you know how most vendor(s) handle a responsible disclosure. Poorly.

Hence, documenting these findings and proof of concepts now.

Read on for details.

Read more