Trango Altum AC600′s have a default root login that is accessible via both SSH and telnet by default. Logging in as root on this device gives you access to a Linux shell, granting you full control over the device.
One of our Trango Altum AC600′s was infected by a variant of the malware that spread between out-of-date Ubiquiti devices in May 2016 (http://www.securityweek.com/worm-infects-many-ubiquiti-devices-old-vulnerability).
The version of the malware from May spread between Ubiquiti devices by making use of a vulnerability in the web interface. This new variant simply connects to IP addresses via ssh, on both ports 22 and 2222, and then tries a series of credentials until it either authenticates successfully, or runs out of combinations to try.
In the case of our AC600, the malware on some other device was able to successfully log in to our AC600 using the username “root” and the password “abcd1234″. I tested this on other up-to-date AC600′s we own, and it worked on them as well.
At the time of writing, this login is not documented anywhere on Trango’s website, nor in any manuals. It is enabled by default and can be accessed via both SSH and telnet. It appears that you can change the root password without breaking anything.
CVE ID: CVE-2016-10306
- 2016/12/23 – vulnerability reported to Trango
- 2017/01/03 – no response yet, so I emailed Trango again
- 2017/01/04 – disclosure posted
- 2017/01/09 – initial response
- 2017/01/11 – Trango says they will update the manual
- 2017/02/17 – Trango still has not updated the manual