‎06-16-2017 ePMP SNMP security advisory

Cambium Networks Security Advisory

CVE-2017-7918 CVSSv3 Score: 6.8

CVE-2017-7922 CVSSv3 Score: 7.6

Summary

In ePMP systems, an attacker can get sensitive information if he/she is aware of the public SNMP community string.

After a valid user has used SNMP configuration export using private SNMP community string, an attacker is able to retrieve the backup file via SNMP using public community string.

Affected Products

All ePMP products

Fixed in Software

3.4-RC7 (and therefore included in official release 3.4)

Mitigations

It is recommended that users change default SNMP configuration. ePMP comes with the default “public” and “private” for RO (read only) and RW (read-write) community strings. Cambium recommends changing this to a random string consisting of eight or more characters in length, including both upper and lower case letters and numbers for variability.

It is also recommended to ensure that management(HTTP/HTTPs/SNMP) is not accessible from the Internet.

Exploitation and Public Announcements

https://ics-cert.us-cert.gov/advisories/ICSA-17-166-01

https://community.rapid7.com/community/metasploit/blog/2017/04/20/metasploit-wrapup

Source

Researcher Karn Ganeshen identified these vulnerabilities.

3 Likes

What has changed in 3.4 to address this? specifically, is it anything that's going to affect normal use of the SNMP functionality?

This should be pretty much on non-issue for those of us that don't have any of our ePMP's management interfaces publicly accessible, correct?

The following changes have been made:

1. Disabled access to sensitive fields(eg WPA2 key) using public community string
2. Disabled access to backup file location using public community string
3. Backup file location now contains UUID token to avoid enumeration attack(e.g. 3.2.2_5e6d8d38-1ed5-11e7-93ae-92361f002671.json)

Those of you not having default SNMP community strings or ePMP's management interfaces publicly accessible are safe.

2 Likes

Could you please introduce in future firmares the option to enable or disable SNMP.

Then with default configuration it is disabled???

I believe functions such as SNMP and SSH should come disabled in default config and if you choose to use them you then enbled them on first login.

Chris, many of us don’t log into the gui at first go, batched and scriped and sent to the field. Much easier to do 20 radios at a time this way. Disabling ssh and snmp would slow down the bulk users of these radios.

I figured it was asking to much, with our company the installers have a config file and they program them. Upon completion of install they call in to get it signed off and we do the finishing touches.

I should have considered the other methods prior to posting.

Same here - we use a script to configure all our SMs, so it would definitely be a problem if SNMP and SSH were disabled by default.

I can see the appeal of being able to disable SNMP entirely if you don't utilize it - but have to agree that disabled out-of-the-box would seriously impair our preconfig process.  If it's an option to disable it, then those who don't want it could include that disable in their default config.

j