Cambium Networks Security Advisory
CVE-2017-5259 Privilege escalation via backdoor access 9.0
CVE-2017-5260 Privilege escalation via direct object reference 9.0
CVE-2017-5261 Critical information disclosure via file path traversal in Readfile 6.8
CVE-2017-5262 Privilege escalation via SNMP RO access to sensitive OIDs 6.8
Summary
In cnPilot R200/R201 systems, an attacker can get admin-level access via multiple attack vectors including web interface and SNMP. It is critical to update all cnPilot R200/201 systems to the 4.3.4-R8 firmware.
Affected Products
cnPilot R200/201
Fixed in Software
4.3.4-R8
Mitigations
It is recommended that users change default SNMP configuration. ePMP comes with the default “public” and “private” for RO (read only) and RW (read-write) community strings. Cambium recommends changing this to a random string consisting of eight or more characters in length, including both upper and lower case letters and numbers for variability.
It is also recommended to ensure that management(HTTP/HTTPs/SNMP) is not accessible from the Internet.
Exploitation and Public Announcements
Source
Researcher Karn Ganeshen identified these vulnerabilities.