Vulnerability Description
The AirVelocity 1500 has an 8P8C "DBG" port on the outside of the unit that, instead of carrying Ethernet, is an RS232 serial console that is active during and after boot. Although shell access requires login, the port does print the contents of /bsdata/snmpd.conf, among other files, during system boot.
/bsdata/snmpd.conf contains plaintext SNMP credentials: it holds community strings when SNMPv2c is in use and usernames + passwords when SNMPv3 is in use.
Anyone who is able to plug a modified Ethernet cable into this port and reboot the unit can learn its SNMP credentials and use those credentials to change settings (denial of service) or gain root command execution (GHSA-whc6-2989-42xm).
Fix
Airspan released version 15.18.00.2511 in early June which we verified fixes this issue.
Timeline
Reported: March 17, 2022
Fixed: June 2, 2022
Published: July 20, 2022
Vulnerability Description
The AirVelocity 1500 has an 8P8C "DBG" port on the outside of the unit that, instead of carrying Ethernet, is an RS232 serial console that is active during and after boot. Although shell access requires login, the port does print the contents of
/bsdata/snmpd.conf, among other files, during system boot./bsdata/snmpd.confcontains plaintext SNMP credentials: it holds community strings when SNMPv2c is in use and usernames + passwords when SNMPv3 is in use.Anyone who is able to plug a modified Ethernet cable into this port and reboot the unit can learn its SNMP credentials and use those credentials to change settings (denial of service) or gain root command execution (GHSA-whc6-2989-42xm).
Fix
Airspan released version 15.18.00.2511 in early June which we verified fixes this issue.
Timeline
Reported: March 17, 2022
Fixed: June 2, 2022
Published: July 20, 2022