Vulnerability Note VU#936356
Ceragon FiberAir IP-10 Microwave Bridge contains a default root password
Original Release date: 16 Jan 2015 | Last revised: 21 Jan 2015

Overview
Ceragon FiberAir IP-10 Microwave Bridge contains a default root password.

Description
CWE-255: Credentials Management
Ceragon FiberAir IP-10 Microwave Bridges contain a default root password. The root account can be accessed through ssh, telnet, command line interface, or via HTTP.

The affected vendor, Ceragon, has provided the following statement:
The FibeAir IP-10 products have an embedded Linux OS.

The root password that is within the IP-10 products is a default password and can be changed by our customers in a simple manner. The existence of such a password is documented in the product user documentation, is highlighted to the customer post shipment, and it is recommended to be changed in accordance with common password management policies.

Many of our customers have chosen to change the root password and that is based on information provided within the product documentation referring to capability and ways of changing all Admin privileges, as well as access to the Linux OS Shell.

We would like to remind again, those customers who have not changed the default root password on their installed IP-10 devices are encouraged to contact your local Ceragon representative, who will assign a customer service expert to provide a means for quick and secure update of root password in multiple devices, simultaneously.

Impact
A remote, unauthenticated attacker may be able to gain administrative privileges on the device.

Solution
Change your Password
Change any default passwords, and do not deploy without changing default passwords. Search engines such as Shodan can index systems exposed to the internet and default passwords are usually documented and well-known. It is often trivial for an attacker to identify and access systems on the internet using default passwords.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedCeragon Networks IncAffected27 Oct 201413 Jan 2015If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
9.0
E:F/RL:U/RC:UR

Environmental
6.8
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://cwe.mitre.org/data/definitions/255.html
http://www.ceragon.com/products-ceragon/packet-hybrid-microwave/fibeair-ip-10c

Credit

Thanks to Jasper Greve for reporting this vulnerability.
This document was written by Chris King.

Other Information

CVE IDs:
CVE-2015-0924

Date Public:
16 Jan 2015

Date First Published:
16 Jan 2015

Date Last Updated:
21 Jan 2015

Document Revision:
31

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply