Just wondering who decided to “enforce” SNMP community to be changed when upgrading radios.
Is not Cambium’s business to force this, and clearly who designed it to be like that has nothing else to do and never ran an ISP with thousands of radios.
I hope someone fixes this and eliminates the need to change SNMP community mandatory, we run on private networks and don’t need to change SNMP.
What a waste of time Cambium folks!!
1 Like
I agree with you, the minimum length requirement is pointless and a hassle. A better approach would have been to simply set SNMP to disabled by default. Let operators turn it on and define their own policies from there.
Default passwords in network equipment are a big source of security vulnerabilities, and security agencies are advising manufacturers not to allow equipment to be operated with default passwords. For example:
I’m also not sure that trusting a private network is the best practice these days. All it takes is one device on the network to become compromised, at which point it can mount an attack on other devices on that network.
6 Likes
We don’t use default community, we use our own SNMP community with three digits, inside a private network and vlan.
Every network operator knows that default SNMP community should be changed upon equipment provisioning. Cambium is here to manufacture equipment not to teach basic network by enforcing changes.
Either way, it is not Cambium business what we use and it shouldn’t force to change after update.
Again, please fix that with upcoming software releases.
Thank you
1 Like
Cambium is just following security best practices. When it comes to physical devices or cyber-security in general the popular adage stands: “You have to get it right every time; an attacker just has to get it right once.” I understand the hassle of having to update all of your radios/devices with a new community string, but take that a step further. If someone manages to brute force your 3 character password (which would take no time at all with today’s computers see: Are Your Passwords in the Green?) then they could change fundamental configuration across your network from system passwords to SSIDs, to the cnMaestro URL they report to. They could potentially reduce your “ISP with thousands of radios” to just a bunch of non-functioning equipment in a matter of minutes, and it could take you hours/days depending on the scope of the breach to recover.
In the amount of time it has taken you to post about a security update published in **checks notes** December of 2022 (ePMP release 4.7), you might have been able to find that you can push a new SNMP string globally in cnMaestro with the help of templates. Cambium can correct me if I’m wrong, but I believe I’ve done that when prepping a test environment to go into production.
In my mind and the mind of countless others that constantlty consider security of their network, regardless of how much “physical separation” you can create with VLANs and OOB management, the amount of time and hassle it takes to implement a new password is considerably better than the amount of time to re-program an entire production network from scratch after a breach.
4 Likes
I went thru this too but it was simple using Cnmaestro to push the snmp change to all radios overnight or whenever you want to. I think if you push it during the day there is no reboot required it just enables snmp and updates the snmp community name to whatever you want etc. software update also requires to make a more complex login password for radio management too. Pushing the config from cnmaestro you can change the admin password back to whatever you had before even if it does not meet min standard.
Thats what we did too
its even a default template
{
"device_props": {
"snmpReadOnlyCommunity": "public",
"snmpReadWriteCommunity": "private"
}
}
1 Like
Theres nothing that pisses me off more than someone forcing some crap on us. Next thing you know we’ll be forced into two factor authentication to log into our own equipment. But hey, Cambium, the government, whoever…they are doing it for our own good right! lol gtfo
I would assume this has nothing to do with Cambium Networks, might be a push due to UK and other laws
And now Im forced to change the passwords after upgrading to 5.9.1?
Is that right?
No wonder stock market on Cambium sucks.
1 Like
It has nothing to do with Cambium and Cambium screw up this up?
Forced to change snmp community and admin passwords!!
Thats totally wrong, Is not Cambium business what we use.