lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAnZqX9rWUx09zjP2pt2Tabt1DdryR=TANuCysx0GWg21XAknQ@mail.gmail.com>
Date: Wed, 22 Nov 2017 10:20:00 +0200
From: Maor Shwartz <maors@...ondsecurity.com>
To: fulldisclosure@...lists.org
Cc: SecuriTeam Secure Disclosure <ssd@...ondsecurity.com>
Subject: [FD] SSD Advisory – Cambium Multiple Vulnerabilities

SSD Advisory – Cambium Multiple Vulnerabilities

Full report: https://blogs.securiteam.com/index.php/archives/3526
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities found in Cambium
Network Updater Tool and Networks Services Server.

The Network Updater Tool is “a free-of-charge tool that applies packages to
upgrade the device types that the release notes for the release that you
are using list as supported. Because this tool is available, an operator
does not need to visit each module in the network or even each AP where
they would otherwise use the SM Autoupdate capability of the radios”

The Cambium Networks Services (CNS) Server is “a network management
application provided by Cambium Networks to manage ePMP devices.”

The vulnerabilities found in Cambium products are:

Cambium Network Updater Tool (CNUT) – Unauthenticated File Path Traversal
Cambium Networks Services Server (CNSS) – Unauthenticated Access Control
Bypass
Cambium Networks Services Server (CNSS) – Capture credentials for Device
Discovery

Credit
An independent security researcher, Karn Ganeshen, has reported this
vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
Cambium has released patches to address those vulnerabilities.

For more details: https://help.endian.com/hc/en-us/articles/115012996087 –
Support Case 131840

Vulnerabilities details
Cambium Network Updater Tool Unauthenticated File Path Traversal

When Cambium Network Updater Tool is started, it runs a web server on
HTTP(S) port 80/443. Cambium Network Updater Tool is a Java application.
The web server does not perform strict input validation, and uses input
data for filesystem operation.

Therefore, it is possible for an un-authenticated user to read arbitrary
files off of the file system by issuing the following request:

===

curl http://IP/../../path/to/file

===

Cambium Networks Services Server Unauthenticated Access Control Bypass

Cambium Networks Services Server does not implement strict access control.
An unauthenticated, remote user can therefore, access the root-,
sub-directories, and sensitive configuration files, directly from the
server.

ambium Networks Services Server (CNSS) – Capture credentials for Device
Discovery

CNSS is used for discovering various other Cambium devices such as ePMP,
and managing all deployed units centrally. In order to discover and access
the devices, it relies upon SNMP (v2c) community strings and login
credentials.

The CNSS application has 2 roles – administrators, and users. An ‘admin’
has full access to the application. A user in ‘users’ group has restricted
access to functions in the application.

An admin user can access & make changes to default configuration for device
discovery

The non-administrative account – ‘user’ – cannot access ‘Discover’ function
configuration

However, it is possible for a ‘user’ to capture this configuration –
default login credentials and SNMP strings for other devices – by accessing
the following url:

===

http://ip/services/finder/admin/index.php

===



--
Thanks
Maor Shwartz
Beyond Security
GPG Key ID: 6D273779F52A9FC2

Download attachment "SSD Advisory – Cambium Multiple Vulnerabilities – SecuriTeam Blogs.pdf" of type "application/pdf" (112145 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ