Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Critical Flaws Expose Mimosa Wireless Broadband Devices to Remote Attacks

A researcher has discovered several critical vulnerabilities in wireless broadband products made by Mimosa Networks. The flaws can expose affected devices to remote attacks.

Mimosa, a division of Airspan, provides wireless broadband solutions that can be used to connect dense urban homes, as well as hard-to-reach rural homes.

A researcher has discovered several critical vulnerabilities in wireless broadband products made by Mimosa Networks. The flaws can expose affected devices to remote attacks.

Mimosa, a division of Airspan, provides wireless broadband solutions that can be used to connect dense urban homes, as well as hard-to-reach rural homes.

Mimosa vulnerabilitiesAccording to an advisory published last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Mimosa’s management platform (MMP), as well as its point-to-point (PTP) and point-to-multipoint (PTMP) products are affected by seven types of vulnerabilities.

Four of the security holes have been assigned a severity rating of “critical,” including issues that can be exploited for remote code execution, obtaining sensitive information, and causing a denial-of-service (DoS) condition. Two of the remaining flaws, which can be exploited for arbitrary code execution and obtaining sensitive information, have been rated “high severity.”

Mimosa has released updates that should patch these vulnerabilities.

SecurityWeek has reached out to Noam Moshe, vulnerability researcher at industrial and IoT security firm Claroty, who has been credited for finding the flaws.

Moshe says the vulnerabilities can be exploited remotely from the internet — the attacker only needs to be able to access the cloud-based management web interface. The security holes expose all cloud-connected devices to attacks.

“Before the vulnerabilities were patched, to exploit these vulnerabilities an attacker would have needed to send specially crafted requests to the cloud servers in order to gain full access,” the researcher explained.

He added, “By exploiting these vulnerabilities, a remote attacker could exfiltrate sensitive data from all cloud-connected devices, including the device’s real-life locations, shared secrets and internal data of the company that owns the device. Furthermore, attackers could even achieve remote code execution on field internet-supplying devices, gaining full control of the devices and full access to any information being kept on them.”

Advertisement. Scroll to continue reading.

According to CISA, the vulnerabilities have been patched by Mimosa with the release of version 1.0.4 of MMP and version 2.90 for the impacted PTP and PTMP products.

Related: FragAttacks: New Vulnerabilities Expose All Devices With Wi-Fi to Attacks

Related: Vulnerabilities in Realtek Wi-Fi Module Expose Many Devices to Remote Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.