DragonWave Horizon Hard-coded Credentials Vulnerability (multiple versions)

DragonWave Horizon wireless radios have hard-coded login credentials meant to allow the vendor to access the devices.

It affects version 1.01.03, but I am unable to determine exactly which version contains the fix for this vulnerability. The vendor has confirmed that this vulnerability is fixed in the latest version (1.4.8 as of the time of writing).

DragonWave has a proprietary management program that can be used to administer their radios, called Merlin.

In Merlin, a user can connect to a DragonWave device via Telnet and issue commands. Merlin prompts the user for login credentials, however, when connecting to the device, Merlin first tries to authenticate using hard-coded credentials. These credentials were discovered by examining the Telnet traffic in Wireshark.

Credentials used by Merlin include (format is username:password):
energetic:wireless (default device credentials)

Some interesting commands I found after logging in:
Show admin credentials (plaintext): get super user
Show other credentials, if any (plaintext): get user accounts
Read bytes from RAM: read word <hex address> <length>

2017/03/29 – Vendor notified
2017/03/30 – Vendor says that vulnerability is already fixed in newest version
2017/04/06 – Publicly disclosed

CVE ID: CVE-2017-7576

Show Comments