mailing list archives
Wireless Inc. WaveLink (Possibly Wavenet) 2458 family Command Module Vulnerability.
From: Michael Grant <scarab () ACENET CO ZA>
Date: Mon, 4 Sep 2000 09:54:19 +0200
Quick Description 1. : Poor Authentication rules employed in WaveLink
2. : Username and Password sent in Clear Text to Command Module.
Vendor Status : Contacted, and responded. No attempt to either notify
customers or release a patch.
Vendor URL : www.wire-less-inc.com
I have recently been afforded the opportunity of playing with some of the
Wavelink equipment. Namely the Wavelink 2458. I noticed that the very
powerful HTML config (cgi?) engine required a password/username to
authenticate users before they could proceed.
The problem arises during the various get requests that follow:
1. Both the username AND password are transmitted in clear text as
parameters to the
2. These can easily be "sniffed" out by any promiscuous mode device
attached to the LAN.
This unfortunately compromises the integrity of the Wavelink units. I know
that they would probably be deployed on the "internal" or "private" side of
the WAN, but should any other point in the WAN be compromised, the Wavelink
units present a minor problem.
Further more, as you are most probably aware, there are many freely
available "scripts" that will attempt to "brute force" the username/password
combination. Success can then be judged by the contents of the document
Possible solutions are as follows:
1. In the config, limit addresses that are allowed to connect to the unit;
2. Have a maximum number username/password combinations per IP.
3. Employ some form of encryption of either username or password -
hopefully both. Perhaps
a modified ssh/ssl connection?
- Wireless Inc. WaveLink (Possibly Wavenet) 2458 family Command Module Vulnerability. Michael Grant (Sep 05)