lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Jun 2016 11:03:37 -0700 From: Ian Ling <iancling@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Siklu EtherHaul Hidden ‘root’ Account [+] Credits: Ian Ling [+] Website: iancaling.com [+] Source: http://blog.iancaling.com/post/145309944453/ Vendor: ================= www.siklu.com/ Product: ====================== -EtherHaul EH-1200F/FX/TX, EH-2200F/FX, EH-600T/TL -EtherHaul EH-1200/TL Vulnerability Type: =================== Default Root Account CVE Reference: ============== N/A Vulnerability Details: ===================== Siklu EtherHaul radios have a built-in, hidden root account, with an unchangeable password that is the same across all devices. This account is accessible via both ssh and the device’s web interface and grants access to the underlying embedded Linux shell on the device, allowing full control over it. See source above for details on how the password was found. Affected versions: -EtherHaul EH-1200F/FX/TX, EH-2200F/FX, EH-600T/TL < 6.9.0 -EtherHaul EH-1200/TL ALL VERSIONS Impact: The remote attacker has full control over the device, including shell access. This can lead to packet sniffing and tampering, denial of service, and even damage to the device ("bricking"). Disclosure Timeline: =================================== Vendor Notification: December 2, 2015 Public Disclosure: June 2, 2016 Exploitation Technique: ======================= Remote Severity Level: ================ Critical _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists