Cambium Networks Security Advisory
CVE-2017-5255 Privilege escalation via command injection 9.0
CVE-2017-5256 Privilege escalation via XSS 8.3
CVE-2017-5257 Privilege escalation via XSS via SNMP OIDs using RW access 7.0
CVE-2017-5258 Privilege escalation XSS via SNMP configuration upload using RW access 7.0
Summary
In ePMP systems, an attacker can get admin access if he/she is aware of the private SNMP community string. An attacker also can raise privelegies from home/installer to the admin level via web interface.
Affected Products
All ePMP products
Fixed in Software
3.5.1
Mitigations
It is recommended that users change default SNMP configuration. ePMP comes with the default “public” and “private” for RO (read only) and RW (read-write) community strings. Cambium recommends changing this to a random string consisting of eight or more characters in length, including both upper and lower case letters and numbers for variability.
It is also recommended to ensure that management(HTTP/HTTPs/SNMP) is not accessible from the Internet.
Exploitation and Public Announcements
Source
Researcher Karn Ganeshen identified these vulnerabilities.