Cambium SNMP Security Vulnerabilities AFFECTED PRODUCTS Cambium ePMP 1000 Cambium ePMP 2000 Cambium PMP XXX Cambium ForceXXX models Potentially all other models IMPACT These vulnerabilities may allow an attacker to access device configuration as well as make unauthorized changes to the device configuration. Disclosure Timelines First reported to ICS-CERT - Sep 12, 2017 Latest vendor response - Apr 5, 2017 Fix planned for Q2 2017 Public Disclosure - Apr 6, 2017 BACKGROUND Through its extensive portfolio of reliable, scalable and secure wireless narrowband and wireless broadband networks, Cambium Networks makes it possible for all service providers; industrial, enterprise, government, and service providers to build affordable, reliable, high-performance connectivity. Our wireless networks enable industrial Internet of things (IIoT) connectivity, and for service providers to improve customer satisfaction and efficiency. SNMP Feature SNMP is a standard protocol employed by many types of Internet protocol based products and allows centralized and remote device management capabilities. One of the many standard SNMP capabilities enables users to manage the product, including accessing device configuration, making changes, as well as triggering back up and restore. Specific to Cambium devices: * It is possible to access full device configuration using SNMP. Device configuration includes usernames, passwords, SSIDs, keys, certificates, syslog config, and other network & wifi specific details. * It is possible to trigger configuration backups, which can then be retrieved using SNMP. * It is possible to wipe out and / or make changes to the device configuration remotely. VULNERABILITY OVERVIEW A. SNMP COMMUNITY STRINGS PRIVILEGES ARE NOT ENFORCED CORRECTLY It is possible to use SNMP ReadOnly community string to access MIBs that should only be accessible using ReadWrite community string (for example Wireless key). Different versions leak different pieces of RW-only accessible information. Current version (at the time of reporting 3.2) allowed RO string to read WPA2 key. For example: snmpget -v2c -c public 1.3.6.1.4.1.17713.21.3.8.2.4.0 B. DEVICE CONFIGURATION BACKUPS a ACCESS CONTROL ISSUES Using SNMP, device configuration backups can be remotely triggered. Using specific MIBs, we can: 1. trigger the backup, and 2. identify exact backup file name, & location. In case any backup file(s) are already present, their names & locations can also be retrieved. Trigger backup snmpset -v2c -c private 1.3.6.1.4.1.17713.21.6.4.10.0 i 1 iso.3.6.1.4.1.17713.21.6.4.10.0 = INTEGER: 1 Get backup file location & name snmpget -v2c -c public 1.3.6.1.4.1.17713.21.6.4.13.0 iso.3.6.1.4.1.17713.21.6.4.13.0 = STRING: " http://IP/dl/3.2.2_00000000000000.json" All the backup files are uploaded on the web server root directory /, and lack any access control. Anyone can enumerate & dump the backup configuration file(s) directly. Using the information in device configuration, it may be possible to gain access to the device, and / or its clients (wireless devices and users). +++++ Metasploit module will be released shortly. +++++