SSD Advisory – Cambium Multiple Vulnerabilities

Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities found in Cambium Network Updater Tool and Networks Services Server.
The Network Updater Tool is “a free-of-charge tool that applies packages to upgrade the device types that the release notes for the release that you are using list as supported. Because this tool is available, an operator does not need to visit each module in the network or even each AP where they would otherwise use the SM Autoupdate capability of the radios”
The Cambium Networks Services (CNS) Server is “a network management application provided by Cambium Networks to manage ePMP devices.”
The vulnerabilities found in Cambium products are:

  • Cambium Network Updater Tool (CNUT) – Unauthenticated File Path Traversal
  • Cambium Networks Services Server (CNSS) – Unauthenticated Access Control Bypass
  • Cambium Networks Services Server (CNSS) – Capture credentials for Device Discovery

Credit
An independent security researcher, Karn Ganeshen, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
Cambium has released patches to address those vulnerabilities.
For more details: https://help.endian.com/hc/en-us/articles/115012996087 – Support Case 131840
(more…)

SSD Advisory – ZTE ZXR10 Router Multiple Vulnerabilities

Vulnerabilities summary
The following advisory describes five (5) vulnerabilities found in ZTE ZXR10 Router.
ZXR10 ZSR V2 series router is “the next generation intelligent access router product of ZTE, which integrates routing, switching, wireless, security, and VPN gateway. The product adopts industry-leading hardware platform and software architecture to provide an intelligent and flexible platform for building efficient, reliable, flexible, and maintainable enterprise intelligence networks.”
The vulnerabilities found are:

  • Hard-coded credentials
  • Arbitrary file upload
  • Authentication bypass
  • Arbitrary file read
  • Unauthorized configuration file download

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
The vendor has released patches to address these vulnerabilities.
For more details: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10931
CVE: CVE-2017-10931
(more…)

SSD Advisory – Tiandy IP cameras Sensitive Information Disclosure

Vulnerability Summary
The following advisory describes sensitive information Disclosure found in Tiandy IP cameras version 5.56.17.120
Tianjin Tiandy Digital Technology Co., Ltd ( Tiandy Tech) is “one of top 10 leading CCTV manufacturer in China and a global supplier of advanced video surveillance solutions.”
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
We tried to contact Tiandy starting from August 16 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for this vulnerability.
CVE: CVE-2017-15236
(more…)

SSD Advisory – Horde Groupware Unauthorized File Download

Vulnerability Summary
The following advisory describes an unauthorized file download vulnerability found in Horde Groupware version 5.2.21.
Horde Groupware Webmail Edition is “a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project. Horde Groupware Webmail Edition bundles the separately available applications IMP, Ingo, Kronolith, Turba, Nag, Mnemo, Gollem, and Trean.”
Credit
An independent security researcher, Juan Pablo Lopez Yacubian, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
Horde Groupware was informed of the vulnerability, to which they response with:
“this has already been reported earlier by someone else, and is already fixed in the latest Gollem and Horde Groupware releases.
Besides that, it’s not sufficient to have a list of the server’s users, you also need to exactly know the file name and path that you want to download. Finally, this only works on certain backends, where Horde alone is responsible for authentication, i.e. it won’t work with backends that require explicit authentication.”
CVE: CVE-2017-15235
(more…)

SSD Advisory – Mako Web-server Tutorials Multiple Unauthenticated Vulnerabilities

Vulnerabilities Summary
The following advisory describe three (3) vulnerabilities found in Mako Server’s tutorial page.
The vulnerabilities found are:

  • Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution
  • Unauthenticated File Disclosure
  • Unauthenticated Server Side Request Forgery

As these tutorial may be used as the basis for production code, it is important for users to be aware of these issues.
“As a compact application and web server, the Mako Server helps developers rapidly design secure IoT and web applications. The Mako Server provides an application server environment from which developers can design and implement complete, custom solutions. The Mako Web Server is ideal for embedded Linux systems.”
Credit
An independent security researcher, John Page AKA hyp3rlinx, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
RealTimeLogic was informed of the vulnerability on Aug 13, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory, saying:
“I just sent a formal notification for the commercial license requirement and also we need to put a maintenance contract in place.
Internally I need to set-up a cost allocation account for billing against these support inquiries.”
At this time it’s unclear whether these vulnerabilities are going to be fixed and further attempts to get a status clarification failed.
(more…)