Sign-up

ID

VAR-201705-3845


CVE

CVE-2017-9137


TITLE

Ceragon FibeAir IP-10 Vulnerabilities related to certificate and password management in wireless receivers

Trust: 0.8

sources: JVNDB: JVNDB-2017-004381

DESCRIPTION

Ceragon FibeAir IP-10 wireless radios through 7.2.0 have a default password of mateidu for the mateidu account (a hidden user account established by the vendor). This account can be accessed via both the web interface and SSH. In the web interface, this simply grants an attacker read-only access to the device's settings. However, when using SSH, this gives an attacker access to a Linux shell. NOTE: the vendor has commented "The mateidu user is a known user, which is mentioned in the FibeAir IP-10 User Guide. Customers are instructed to change the mateidu user password. Changing the user password fully solves the vulnerability.". Ceragon FibeAir IP-10 Wireless receivers contain vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. CeragonFibeAirIP-10wirelessradios is a wireless microwave transmission device from Israel's Ceragon. A security vulnerability exists in CeragonFibeAirIP-10wirelessradios7.2.0 and earlier, which originated from the default password in the mateid account

Trust: 2.25

sources: NVD: CVE-2017-9137 // JVNDB: JVNDB-2017-004381 // CNVD: CNVD-2017-08177 // VULHUB: VHN-117340

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-08177

AFFECTED PRODUCTS

vendor:ceragonmodel:fiberair ip-10scope:lteversion:7.2.0

Trust: 1.0

vendor:ceragonmodel:fibeair ip-10scope:lteversion:7.2.0

Trust: 0.8

vendor:ceragonmodel:fibeair ip-10 wireless radiosscope:lteversion:<=7.2.0

Trust: 0.6

vendor:ceragonmodel:fiberair ip-10scope:eqversion:7.2.0

Trust: 0.6

sources: CNVD: CNVD-2017-08177 // JVNDB: JVNDB-2017-004381 // CNNVD: CNNVD-201705-917 // NVD: CVE-2017-9137

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9137
value: HIGH

Trust: 1.0

NVD: CVE-2017-9137
value: HIGH

Trust: 0.8

CNVD: CNVD-2017-08177
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201705-917
value: HIGH

Trust: 0.6

VULHUB: VHN-117340
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2017-9137
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-08177
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-117340
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-9137
baseSeverity: HIGH
baseScore: 7.3
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 3.9
impactScore: 3.4
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-08177 // VULHUB: VHN-117340 // JVNDB: JVNDB-2017-004381 // CNNVD: CNNVD-201705-917 // NVD: CVE-2017-9137

PROBLEMTYPE DATA

problemtype:CWE-1188

Trust: 1.0

problemtype:CWE-255

Trust: 0.9

sources: VULHUB: VHN-117340 // JVNDB: JVNDB-2017-004381 // NVD: CVE-2017-9137

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201705-917

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201705-917

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-004381

PATCH
title:FibeAir IP-10url:http://www.cbl.cz/pdf/multiplexery-licensovane-pasmo/CERAGON-FibeAir-IP-10.pdf
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2017-004381

EXTERNAL IDS
db:NVDid:CVE-2017-9137
Trust: 3.1
db:JVNDBid:JVNDB-2017-004381
Trust: 0.8
db:CNNVDid:CNNVD-201705-917
Trust: 0.7
db:CNVDid:CNVD-2017-08177
Trust: 0.6
db:VULHUBid:VHN-117340
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-08177 // 
            
            
            
            VULHUB: VHN-117340 // 
            
            
            
            JVNDB: JVNDB-2017-004381 // 
            
            
            
            CNNVD: CNNVD-201705-917 // 
            
            
            
            NVD: CVE-2017-9137

REFERENCES
url:http://blog.iancaling.com/post/160817658078
Trust: 2.3
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9137
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-9137
Trust: 0.8
url:http://blog.iancaling.com/post/160817658078/ceragon-fibeair-ip-10-hidden-user-backdoor
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2017-08177 // 
            
            
            
            VULHUB: VHN-117340 // 
            
            
            
            JVNDB: JVNDB-2017-004381 // 
            
            
            
            CNNVD: CNNVD-201705-917 // 
            
            
            
            NVD: CVE-2017-9137

SOURCES
db:CNVDid:CNVD-2017-08177
db:VULHUBid:VHN-117340
db:JVNDBid:JVNDB-2017-004381
db:CNNVDid:CNNVD-201705-917
db:NVDid:CVE-2017-9137

LAST UPDATE DATE
2025-04-20T23:37:55.739000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-08177date:2017-06-05T00:00:00
db:VULHUBid:VHN-117340date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2017-004381date:2017-06-23T00:00:00
db:CNNVDid:CNNVD-201705-917date:2019-10-23T00:00:00
db:NVDid:CVE-2017-9137date:2025-04-20T01:37:25.860

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-08177date:2017-05-27T00:00:00
db:VULHUBid:VHN-117340date:2017-05-21T00:00:00
db:JVNDBid:JVNDB-2017-004381date:2017-06-23T00:00:00
db:CNNVDid:CNNVD-201705-917date:2017-05-22T00:00:00
db:NVDid:CVE-2017-9137date:2017-05-21T21:29:00.410