CVE-2017-9137 in FibeAir IP-10
Summary
by MITRE
Ceragon FibeAir IP-10 wireless radios through 7.2.0 have a default password of mateidu for the mateidu account (a hidden user account established by the vendor). This account can be accessed via both the web interface and SSH. In the web interface, this simply grants an attacker read-only access to the device's settings. However, when using SSH, this gives an attacker access to a Linux shell.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/01/2020
The Ceragon FibeAir IP-10 wireless radio devices running firmware versions up to 7.2.0 contain a critical security vulnerability stemming from a hardcoded default credential configuration that violates fundamental security principles. This vulnerability represents a classic example of poor authentication design where vendors fail to properly secure their devices against unauthorized access. The device establishes a hidden administrative account named mateidu with the default password mateidu, creating a persistent backdoor that remains active regardless of user configuration changes. This flaw directly maps to CWE-798, which categorizes the use of hard-coded credentials as a significant security risk, and aligns with ATT&CK technique T1078.1.001 for valid accounts, as it provides unauthorized access through legitimate authentication mechanisms.
The technical implementation of this vulnerability allows attackers to exploit multiple access vectors simultaneously, demonstrating a critical design flaw in the device's security architecture. Through the web interface, the mateidu account provides read-only access to device configuration settings, which can be leveraged to gather sensitive network information including IP addresses, network topology details, and device configuration parameters. However, the more severe impact occurs when attackers utilize SSH access with this credential, as it grants them full shell access to the underlying Linux operating system. This shell access enables attackers to execute arbitrary commands, modify system files, install malicious software, and potentially escalate privileges to root access. The combination of these access vectors creates a multi-layered attack surface that significantly increases the potential for system compromise.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables attackers to conduct reconnaissance, establish persistent access, and potentially disrupt network operations. Network administrators who fail to change default credentials leave their wireless infrastructure vulnerable to automated scanning attacks that can quickly identify and exploit these devices. The hidden nature of the mateidu account compounds the risk, as it remains undetected by standard security audits and configuration reviews. Attackers can leverage this vulnerability to perform network mapping, identify connected devices, and potentially use the compromised device as a pivot point for attacking other systems within the network. This vulnerability also increases the risk of man-in-the-middle attacks and can facilitate data exfiltration from the wireless network infrastructure.
Organizations should implement immediate mitigations including changing default credentials, disabling unnecessary services, and implementing network segmentation to limit the impact of potential compromise. The most effective immediate solution involves changing the default password for the mateidu account to a strong, unique credential that follows NIST SP 800-63B password guidelines. Network administrators should also disable SSH access if it is not required for legitimate administrative purposes and implement proper access controls through firewall rules. Regular security assessments should be conducted to identify and remediate similar hardcoded credentials across all network infrastructure devices. Additionally, implementing network monitoring solutions that can detect unusual SSH access patterns and unauthorized account logins will help detect exploitation attempts. The vulnerability highlights the critical importance of adhering to security best practices such as the principle of least privilege and the requirement to change default credentials as outlined in ISO 27001 controls and NIST cybersecurity frameworks.