CVE-2015-0936 in FibeAir IP-10
Summary
by MITRE
Ceragon FibeAir IP-10 have a default SSH public key in the authorized_keys file for the mateidu user, which allows remote attackers to obtain SSH access by leveraging knowledge of the private key.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/27/2024
The Ceragon FibeAir IP-10 is a network infrastructure device that provides wireless broadband connectivity solutions for telecommunications operators. This device runs a Linux-based operating system and includes SSH services for remote administration and management purposes. The vulnerability described in CVE-2015-0936 represents a critical security flaw in the device's default configuration that significantly undermines its security posture. The issue specifically affects the SSH authentication mechanism by embedding a hardcoded public key within the authorized_keys file for the mateidu user account, creating a persistent backdoor access vector.
The technical flaw stems from the device's default configuration where a well-known public key is embedded in the SSH authorized_keys file for the mateidu user. This configuration allows any attacker who possesses the corresponding private key to establish SSH sessions with the device without requiring legitimate credentials. The vulnerability is classified as a default credential weakness that falls under CWE-798, which addresses the use of hard-coded credentials in software applications. The presence of this default public key means that any individual who can obtain or guess the private key component can gain unauthorized administrative access to the device, effectively bypassing all normal authentication mechanisms.
The operational impact of this vulnerability is severe and multifaceted. Remote attackers can exploit this weakness to gain full administrative control over the Ceragon FibeAir IP-10 device, enabling them to modify network configurations, intercept data traffic, install malicious software, or use the device as a pivot point for attacking other systems within the network. This vulnerability particularly affects telecommunications infrastructure where these devices are deployed, potentially compromising entire network segments. The attack surface is significantly expanded because the private key associated with this default public key is often widely distributed or can be easily obtained through various sources, making the exploitation trivial for threat actors. From an ATT&CK framework perspective, this vulnerability maps to initial access techniques involving credential access and privilege escalation, potentially leading to lateral movement within the network infrastructure.
Mitigation strategies for this vulnerability require immediate action from network administrators and security teams. The most effective approach involves removing or replacing the default public key from the authorized_keys file and implementing proper key management practices for SSH access. Organizations should ensure that all Ceragon FibeAir IP-10 devices are updated with custom SSH key pairs and that default accounts are disabled or removed entirely. Network segmentation and monitoring should be implemented to detect unauthorized access attempts. The device should be configured with strong authentication mechanisms including multi-factor authentication where possible. Regular security audits should verify that no default credentials or hardcoded keys remain in the system. Additionally, network administrators should implement network access controls and firewall rules to restrict SSH access to authorized IP addresses only, thereby reducing the attack surface and limiting potential exploitation of this vulnerability.