Ian C A Ling

Authentication bypass in Ceragon FibeAir IP-10 web interface (<7.2.0)

By Ian C A Ling in Vulnerability Disclosures on 15 Jun 2016

Vendor: ================= www.ceragon.com Product: ====================== -FibeAir IP-10 (<7.2.0) Vulnerability Type: =================== Authentication Bypass Vulnerability Details: ===================== Ceragon FibeAir IP-10 devices do not properly ensure that a user has authenticated before granting them access to the web interface of the device. The attacker simply needs to add a cookie to…

Siklu EtherHaul Hidden ‘root’ Account Vulnerability (<6.9.0 / <3.7.1)

By Ian C A Ling in Vulnerability Disclosures on 02 Jun 2016

tl;dr: Siklu EtherHaul radios have a built-in, hidden root account, with an unchangeable password that is the same across all devices. This account is accessible via both ssh and the device’s web interface and grants access to the underlying embedded Linux OS on the device, allowing full control…