Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:936356
HistoryJan 16, 2015 - 12:00 a.m.

Ceragon FiberAir IP-10 Microwave Bridge contains a default root password

2015-01-1600:00:00
www.kb.cert.org
213

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

COMPLETE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:C/A:N

EPSS

0.003

Percentile

66.0%

JSON

Overview

Ceragon FiberAir IP-10 Microwave Bridge contains a default root password.

Description

CWE-255**:******Credentials Management

Ceragon FiberAir IP-10 Microwave Bridges contain a default root password. The root account can be accessed through ssh, telnet, command line interface, or via HTTP.

The affected vendor, Ceragon, has provided the following statement:
_The FibeAir IP-10 products have an embedded Linux OS. _

The root password that is within the IP-10 products is a default password and can be changed by our customers in a simple manner. The existence of such a password is documented in the product user documentation, is highlighted to the customer post shipment, and it is recommended to be changed in accordance with common password management policies.

Many of our customers have chosen to change the root password and that is based on information provided within the product documentation referring to capability and ways of changing all Admin privileges, as well as access to the Linux OS Shell.

We would like to remind again, those customers who have not changed the default root password on their installed IP-10 devices are encouraged to contact your local Ceragon representative, who will assign a customer service expert to provide a means for quick and secure update of root password in multiple devices, simultaneously.

Impact

A remote, unauthenticated attacker may be able to gain administrative privileges on the device.

Solution

Change your Password
Change any default passwords, and do not deploy without changing default passwords. Search engines such as Shodan can index systems exposed to the internet and default passwords are usually documented and well-known. It is often trivial for an attacker to identify and access systems on the internet using default passwords.

Vendor Information

936356

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Ceragon Networks Inc Affected

Notified: October 27, 2014 Updated: January 13, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9 E:F/RL:U/RC:UR
Environmental 6.8 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Jasper Greve for reporting this vulnerability.

This document was written by Chris King.

Other Information

CVE IDs: CVE-2015-0924
Date Public: 2015-01-16 Date First Published:

Related

cvelist 1
nvd 1
prion 1
cve 1
packetstorm 1
zdt 1
cvelist
cvelist
CVE-2015-0924
2015-01-17 11:00:00
nvd
nvd
CVE-2015-0924
2015-01-17 11:59:06
prion
prion
Default credentials
2015-01-17 11:59:00
cve
cve
CVE-2015-0924
2015-01-17 11:59:06
packetstorm
packetstorm
Ceragon FibeAir IP-10 SSH Private Key Exposure
2015-04-02 00:00:00
zdt
zdt
Ceragon FibeAir IP-10 SSH Private Key Exposure Vulnerability
2015-04-03 00:00:00

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

COMPLETE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:C/A:N

EPSS

0.003

Percentile

66.0%

JSON
Related for VU:936356
cvelist1nvd1prion1cve1packetstorm1zdt1