A researcher has discovered nearly a dozen security issues in ePMP and cnPilot wireless networking products from Cambium, including vulnerabilities that can be exploited to take control of devices and the networks they serve.
Cambium’s ePMP and cnPilot wireless broadband solutions are used by managed services providers, governments, retailers, ISPs, hotels, schools, enterprises, and industrial organizations.
Researcher Karn Ganeshen discovered that ePMP 1000, 2000 and Force wireless broadband devices, and cnPilot R190, R200 and R201 Wi-Fi access points are affected by potentially serious vulnerabilities. The flaws were reported to Cambium in September via Rapid7 and a majority of them were patched last month.
While exploitation of the flaws normally requires access to the network, Rapid7’s Project Sonar uncovered more than 36,000 ePMP devices and 133 cnPilot systems accessible from the Internet, and many of them could be vulnerable. The highest number of exposed systems has been seen in Serbia (9,600), the United States (8.200), Italy (5,000), Brazil (3,000), Spain (2,700), Colombia (2,500) and South Africa (1,100).
Several of the vulnerabilities have been rated critical with a CVSS score of 9.0. One of them is CVE-2017-5254, a privilege escalation flaw affecting ePMP devices. These systems are shipped with several default accounts with default credentials, including admin/admin, installer/installer, home/home and readonly/readonly. The home and installer accounts don’t have admin privileges, but Ganeshen discovered that they can be used to change the admin account password.
The admin password normally cannot be changed by a installer or home user as the password field is not editable. However, an attacker who has access to the web interface with one of these low-privileged accounts can use the Inspect Element feature in their browser and delete the disabled=”” property, which makes the password field editable. The password set by the attacker for the admin account can then be used to access the web interface with administrator privileges.
Another critical privilege escalation flaw in ePMP is CVE-2017-5255. It allows an authenticated attacker – even one with a readonly account – to execute OS-level commands as root by sending a specially crafted request to a function named get_chart.
There are also a couple of other XSS flaws in the ePMP product, but these are more difficult to exploit. The XSS vulnerabilities can allow an attacker to hijack a user’s session, hook the browser, or conduct other activities that can lead to privilege escalation.
The most serious flaw affecting the cnPilot product is related to an undocumented root web shell that can be accessed by any user (CVE-2017-5259). Another critical issue in cnPilot allows privilege escalation via a direct object reference vulnerability (CVE-2017-5260).
cnPilot is also affected by information disclosure and privilege escalation flaws that have been rated medium severity.
The vulnerabilities affect ePMP products running version 3.5 and earlier of the firmware and cnPilot devices running version 4.3.2-R4 and earlier. Fixes have been introduced with the release of versions 3.5.1 and 4.4, respectively. Two issues involving the lack of cross-site request forgery (CSRF) protections and some suspicious binaries have not been patched.