Cambium Networks Security Advisory
CVE-2017-5259 Privilege escalation via backdoor access 9.0
CVE-2017-5260 Privilege escalation via direct object reference 9.0
CVE-2017-5261 Critical information disclosure via file path traversal in Readfile 6.8
CVE-2017-5262 Privilege escalation via SNMP RO access to sensitive OIDs 6.8
In cnPilot R200/R201 systems, an attacker can get admin-level access via multiple attack vectors including web interface and SNMP. It is critical to update all cnPilot R200/201 systems to the 4.3.4-R8 firmware.
Fixed in Software
It is recommended that users change default SNMP configuration. ePMP comes with the default “public” and “private” for RO (read only) and RW (read-write) community strings. Cambium recommends changing this to a random string consisting of eight or more characters in length, including both upper and lower case letters and numbers for variability.
It is also recommended to ensure that management(HTTP/HTTPs/SNMP) is not accessible from the Internet.
Exploitation and Public Announcements
Researcher Karn Ganeshen identified these vulnerabilities.