Vulnerability

    password handling in BreezeCOM

Affected

    Systems running BreezeCOM product

Description

    Mr. SteelFire  found following.   BreezeCOM adapters  are used  in
    wireless  LAN  environments  and  like  any  communication  device
    (switches,  routers  etc.)  you  need  a  password  to  access the
    adapter.   BreezeCOM  has  choosed  to  use  a  burned-in  factory
    standard password for their adapters which really is a stupid  way
    to  handle  this.   They  have  different  passwords for different
    version  which  you  cannot  change  and  the  passwords  are  the
    following:

        4.x     Super
        3.x     Master
        2.x     laflaf

    Marc Esipovich added following:

        4.4.x   Helpdesk

    He only tested this on 4.4.1, it seems that 5.x does not have such
    bypass passwords anymore.

    As  far  as  known  the  passwords  above  works  with SA (Station
    Adapter) 10,  SA 40  and AP  (Access Point)  10.   One thing  that
    should be  pointed out  is that  it's not  possible to  access the
    adapters  remote  (not  telnet  etc.)  so  the security problem is
    local.

    It is possible  to set installerrights  via snmp according  to one
    sorce.  There  is also a  kind of DOS  in the way  of updating the
    firmware.  The tftpserver requires no authorization to upload  the
    firmware and  reset.   So, someone  could easily  upload any file.
    After that you  have to send  the affected device  to breezecom to
    get a new firmware cause the tftpserver is part of the firmware...

Solution

    The only protection is to set up no ip-configuration.