Skip to content

Airspan AirVelocity 1500 SNMP credentials printed on debug port

Low
vladionescu published GHSA-8j75-qh6c-wpc5 Jul 20, 2022

Package

AirVelocity 1500 eNB (Airspan)

Affected versions

9.3.0.01249

Patched versions

15.18.00.2511

Description

Vulnerability Description

The AirVelocity 1500 has an 8P8C "DBG" port on the outside of the unit that, instead of carrying Ethernet, is an RS232 serial console that is active during and after boot. Although shell access requires login, the port does print the contents of /bsdata/snmpd.conf, among other files, during system boot.

/bsdata/snmpd.conf contains plaintext SNMP credentials: it holds community strings when SNMPv2c is in use and usernames + passwords when SNMPv3 is in use.

Anyone who is able to plug a modified Ethernet cable into this port and reboot the unit can learn its SNMP credentials and use those credentials to change settings (denial of service) or gain root command execution (GHSA-whc6-2989-42xm).

Fix

Airspan released version 15.18.00.2511 in early June which we verified fixes this issue.

Timeline

Reported: March 17, 2022
Fixed: June 2, 2022
Published: July 20, 2022

Severity

Low

CVE ID

CVE-2022-36307

Weaknesses

Credits