what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cambium SNMP Access Controls

Cambium SNMP Access Controls
Posted Apr 6, 2017
Authored by Karn Ganeshen

Cambium products suffer from SNMP access control issues that may allow for unauthorized changes to the device configuration. Models affected include Cambium ePMP 1000, Cambium ePMP 2000, Cambium PMP XXX, and Cambium ForceXXX models.

tags | exploit, bypass
SHA-256 | 83af628b8ca5f9c6f13937f56b1da567235978f7f6485f3db1c03008ecf2e6d5

Cambium SNMP Access Controls

Change Mirror Download
Cambium SNMP Security Vulnerabilities

AFFECTED PRODUCTS

Cambium ePMP 1000
Cambium ePMP 2000
Cambium PMP XXX
Cambium ForceXXX models
Potentially all other models

IMPACT

These vulnerabilities may allow an attacker to access device configuration
as well as make unauthorized changes to the device configuration.

Disclosure Timelines

First reported to ICS-CERT - Sep 12, 2017
Latest vendor response - Apr 5, 2017
Fix planned for Q2 2017
Public Disclosure - Apr 6, 2017


BACKGROUND

Through its extensive portfolio of reliable, scalable and secure wireless
narrowband and wireless broadband networks, Cambium Networks makes it
possible for all service providers; industrial, enterprise, government, and
service providers to build affordable, reliable, high-performance
connectivity. Our wireless networks enable industrial Internet of things
(IIoT) connectivity, and for service providers to improve customer
satisfaction and efficiency.

SNMP Feature

SNMP is a standard protocol employed by many types of Internet protocol
based products and allows centralized and remote device management
capabilities. One of the many standard SNMP capabilities enables users to
manage the product, including accessing device configuration, making
changes, as well as triggering back up and restore.

Specific to Cambium devices:

* It is possible to access full device configuration using SNMP. Device
configuration includes usernames, passwords, SSIDs, keys, certificates,
syslog config, and other network & wifi specific details.
* It is possible to trigger configuration backups, which can then be
retrieved using SNMP.
* It is possible to wipe out and / or make changes to the device
configuration remotely.

VULNERABILITY OVERVIEW

A. SNMP COMMUNITY STRINGS PRIVILEGES ARE NOT ENFORCED CORRECTLY

It is possible to use SNMP ReadOnly community string to access MIBs that
should only be accessible using ReadWrite community string (for example
Wireless key). Different versions leak different pieces of RW-only
accessible information. Current version (at the time of reporting 3.2)
allowed RO string to read WPA2 key.

For example:

snmpget -v2c -c public <IP> 1.3.6.1.4.1.17713.21.3.8.2.4.0


B. DEVICE CONFIGURATION BACKUPS a ACCESS CONTROL ISSUES

Using SNMP, device configuration backups can be remotely triggered. Using
specific MIBs, we can:
1. trigger the backup, and
2. identify exact backup file name, & location.

In case any backup file(s) are already present, their names & locations can
also be retrieved.

Trigger backup
snmpset -v2c -c private <IP> 1.3.6.1.4.1.17713.21.6.4.10.0 i 1
iso.3.6.1.4.1.17713.21.6.4.10.0 = INTEGER: 1

Get backup file location & name
snmpget -v2c -c public <IP> 1.3.6.1.4.1.17713.21.6.4.13.0
iso.3.6.1.4.1.17713.21.6.4.13.0 = STRING: "
http://IP/dl/3.2.2_00000000000000.json"

All the backup files are uploaded on the web server root directory /, and
lack any access control. Anyone can enumerate & dump the backup
configuration file(s) directly. Using the information in device
configuration, it may be possible to gain access to the device, and / or
its clients (wireless devices and users).

+++++
Metasploit module will be released shortly.
+++++


Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close