Haven’t been a customer in years but I’ll still comment.. 1) Sure that’s nice … but doesn’t mean damage can’t be done 2) Sure passwords get lost - but if a tower climb to hit a reset button is the only option then so be it instead of a fixed root “backdoor” password…. I think that part that is most disturbing is the surprise customers will get from this being disclosed and how that would effect their trust in their vendor. 3) You’re assuming customers upgrade their firmware. I know of some folks with Tlink10’s out there that never seen a firmware upgrade ever - probably deployed for 10 years now I’m guessing.
10 years doesn’t make it right. How do you know it worked well? Just because something isn’t reported doesn’t mean it wasn’t a problem. PCI compliance doesn’t mean something has a higher level of security and follows non-stupid practices. With a backdoor vendor password, you have essentially put all of your customers networks at risk and provide them with very limited means to protect themselves. Just my two cents worth Paul > On Nov 12, 2016, at 2:17 PM, Chris Gustaf <[email protected]> wrote: > > A couple clarifications on this- > > 1) All Trango microwave products have separate control and data planes, so > root level access does not allow any packet sniffing. No user data goes > through the CPU. > > 2) Trango investigated using a Salt to make each root level password unique, > but opted against it since our support team frequently has been requested to > access radios where the user level passwords were forgotten and reset to > defaults. Without a known root password, a tower climb may be required to > physically reset the radio to factory. > > 3) Trango opted instead to periodically change root passwords on firmware > updates. > > The current method has worked well for 10 years with no breaches reported to > us. In fact, Trango has passed PCI compliance testing with it's SL24 product > using this method. > > That said, we would welcome a discussion on this since this type of tower > mounted product differs from other network devices residing in a network > closet. > > Regards, > > Chris Gustaf > Trango Engineering > > > > > > > > Sent from my mobile > > On Nov 12, 2016, at 4:09 AM, Paul Stewart <[email protected] > <mailto:[email protected]>> wrote: > >> Yikes…. >> >> >> >> [+] Credits: Ian Ling >> [+] Website: iancaling.com <http://iancaling.com/> >> [+] Source: http://blog.iancaling.com/post/153011925478/ >> <http://blog.iancaling.com/post/153011925478/> >> >> Vendor: >> ================= >> www.trangosys.com <http://www.trangosys.com/> >> >> Products: >> ====================== >> All models. Newer versions use a different password. >> >> Vulnerability Type: >> =================== >> Default Root Account >> >> CVE Reference: >> ============== >> N/A >> >> Vulnerability Details: >> ===================== >> >> Trango devices all have a built-in, hidden root account, with a default >> password that is the same across many devices and software revisions. This >> account is accessible via ssh and grants access to the underlying embedded >> unix OS on the device, allowing full control over it. Recent software >> updates for some models have changed this password, but have not removed >> this backdoor. See source above for details on how the password was found. >> >> The particular password I found is 9 characters, all lowercase, no numbers: >> "bakergiga" >> Their support team informed me that there is a different password on newer >> devices. >> >> The password I found works on the following devices: >> >> -Apex <= 2.1.1 (latest) >> -ApexLynx < 2.0 >> -ApexOrion < 2.0 >> -ApexPlus <= 3.2.0 (latest) >> -Giga <= 2.6.1 (latest) >> -GigaLynx < 2.0 >> -GigaOrion < 2.0 >> -GigaPlus <= 3.2.3 (latest) >> -GigaPro <= 1.4.1 (latest) >> -StrataLink < 3.0 >> -StrataPro - all versions? >> >> Impact: >> The remote attacker has full control over the device, including shell >> access. This can lead to packet sniffing and tampering, bricking the device, >> and use in botnets. >> >> >> Disclosure Timeline: >> =================================== >> Vendor Notification: October 7, 2016 >> Public Disclosure: November 10, 2016 >> >> Exploitation Technique: >> ======================= >> Remote >> >> Severity Level: >> ================ >> Critical >>
