PT-2017-18714 · Mimosa+1 · Mimosa Access Points+3
Published
2017-05-21
·
Updated
2017-05-26
·
CVE-2017-9132
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Mimosa Client Radios versions prior to 2.2.3
Mimosa Backhaul Radios versions prior to 2.2.3
Mimosa Access Points versions prior to 2.2.3
Description
A hard-coded credentials issue was discovered in Mimosa devices that run Mosquitto, a lightweight message broker. This allows an attacker to connect to the broker on any device using the vendor's hard-coded credentials and view all messages being sent between devices. If an attacker connects to an Access Point, it will leak information about connected clients, including serial numbers, which can be used to remotely factory reset the clients.
Recommendations
For Mimosa Client Radios versions prior to 2.2.3, update to version 2.2.3 or later.
For Mimosa Backhaul Radios versions prior to 2.2.3, update to version 2.2.3 or later.
For Mimosa Access Points versions prior to 2.2.3, update to version 2.2.3 or later.
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mimosa Access Points
Mimosa Backhaul Radios
Mimosa Client Radios
Mosquitto