Ceragon FibeAir IP-10 7.2.0 Hidden User Backdoor

2017.05.20
Credit: Ian Ling
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

[+] Credits: Ian Ling [+] Website: iancaling.com [+] Source: http://blog.iancaling.com/post/160817658078 Vendor: ================= https://www.ceragon.com Products: ====================== Ceragon FibeAir IP-10 (<=7.2.0) (latest version) Vulnerability Types: =================== Hidden User Backdoor Vulnerability Details: ===================== Ceragon FibeAir IP-10 wireless radios contain a hidden user account with a default password set by the vendor. This user can be accessed via both the web interface and SSH. In the web interface, this simply grants an attacker read-only access to the deviceas settings. However, when using SSH, this user gives an attacker access to a Linux shell. While the mateidu user does not have root privileges in the Linux shell, these devices run an outdated Linux kernel that may be vulnerable to privilege escalation exploits. The vendor recommends that users alog as mateidu user and change the password via the GUI this will close the old internal protection port access. [sic]a The mateidu useras password is the same as its username. This vulnerability is similar to CVE-2015-0936, which detailed the discovery of an RSA key pair that allowed an attacker to log in as the mateidu user via SSH. Disclosure Timeline: =================================== 2017/05/12 - Contacted vendor 2017/05/14 - Vendor acknowledges report 2017/05/16 - Vendor sends their recommendation 2017/05/18 - Publicly disclosed


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top