CISA has warned of critical vulnerabilities in Airspan Networks Mimosa, some of which have earned CVSS severity score ratings of 10, the highest possible.
While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.
Read nowWhen security vulnerabilities are severe, and the products they impact are popular or critical to the operations of key industries, the US Cybersecurity and Infrastructure Security Agency (CISA) will often issue advisories to make sure they reach the attention of IT administrators and security staff.
On Thursday, CISA issued such an advisory for Airspan Networks Mimosa. Mimosa devices are offered to industrial and enterprise players for point-to-multipoint (PTMP) network deployment.
Seven vulnerabilities have been included in the advisory, detailing bugs earning themselves CVSS v3 base scores ranging from 6.5 to 10.0.
The Airspan Networks products impacted by the vulnerabilities are the Mimosa Management Platform (MMP) prior to v1.0.3; PTP C-series devices running firmware prior to v2.8.6.1, and both PTMP C-series and A5x devices running firmware below v2.5.4.1. The vulnerabilities have been resolved in later versions.
Also: Operation EmailThief: Zero-day XSS vulnerability in Zimbra email platform revealed
Noam Moshe of Claroty reported the security issues, which are said to be exploitable remotely and with low attack complexity.
"Successful exploitation of these vulnerabilities could allow an attacker to gain user data (including organization details) and other sensitive data, compromise Mimosa's AWS cloud EC2 instance and S3 buckets and execute unauthorized remote code on all cloud-connected Mimosa devices," CISA says.
The vulnerabilities are below:
There is no evidence that the vulnerabilities have been exploited in the wild. Airspan Networks recommends that customers upgrade to MMP v.1.0.4 or later, PTP C5x/C5c (v2.90 or later), and PTMP C-series/A5x v.2.9.0 or later.
In January, CISA updated its Known Exploited Vulnerabilities catalog with 13 new vulnerabilities. In total, nine had a remediation date of February 1, and four have a remediation date of July 18.
The bugs include a command injection flaw in the System Information Library for node.js, a Drupal unrestricted file upload issue, and command injection vulnerabilities in the Nagios XI operating system.
Update 6.2, 8.36am GMT:Airspan Networks Mimosa told ZDNet:
"The issue was identified in August 2021 by a security vulnerability research team, and reported to Airspan via our Security Incident Response Team (SIRT) procedures.
We immediately addressed and rapidly resolved these issues via firmware and software updates to our user's devices, servers, and Airspan's cloud platforms -- through the proper channel via the CISA announcement and Airspan rectification response. [...] All systems were fixed months ago and users provided with the vulnerability information in the subsequent releases."
See also
Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0