lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 18 May 2017 15:39:59 -0700
From: Ian Ling via Fulldisclosure <fulldisclosure@...lists.org>
To: Fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] Ceragon FibeAir IP-10 Hidden User Backdoor

[+] Credits: Ian Ling
[+] Website: iancaling.com
[+] Source: http://blog.iancaling.com/post/160817658078

Vendor:
=================
https://www.ceragon.com


Products:
======================
Ceragon FibeAir IP-10 (<=7.2.0) (latest version)


Vulnerability Types:
===================
Hidden User Backdoor


Vulnerability Details:
=====================
Ceragon FibeAir IP-10 wireless radios contain a hidden user account with 
a default password set by the vendor. This user can be accessed via both 
the web interface and SSH. In the web interface, this simply grants an 
attacker read-only access to the device’s settings. However, when using 
SSH, this user gives an attacker access to a Linux shell.

While the mateidu user does not have root privileges in the Linux shell, 
these devices run an outdated Linux kernel that may be vulnerable to 
privilege escalation exploits.

The vendor recommends that users “log as mateidu user and change the 
password via the GUI this will close the old internal protection port 
access. [sic]”

The mateidu user’s password is the same as its username.

This vulnerability is similar to CVE-2015-0936, which detailed the 
discovery of an RSA key pair that allowed an attacker to log in as the 
mateidu user via SSH.


Disclosure Timeline:
===================================
2017/05/12 - Contacted vendor
2017/05/14 - Vendor acknowledges report
2017/05/16 - Vendor sends their recommendation
2017/05/18 - Publicly disclosed

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists