that answer varies … they could be not acknowledging this, they could still be trying to figure it out …. hard to tell with vendors - some of them are great at dealing with this kind of stuff and some put their head in the sand ….
Also - this notice doesn’t mean 100% that it’s actually correct … this is the work of a security researcher typically who is making a claim. Typically they are correct though … > On Nov 12, 2016, at 7:45 AM, can...@believewireless.net > <p...@believewireless.net> wrote: > > Why didn't Trango announce this to customers? > > On Sat, Nov 12, 2016 at 7:09 AM, Paul Stewart <p...@paulstewart.org > <mailto:p...@paulstewart.org>> wrote: > Yikes…. > > > > [+] Credits: Ian Ling > [+] Website: iancaling.com <http://iancaling.com/> > [+] Source: http://blog.iancaling.com/post/153011925478/ > <http://blog.iancaling.com/post/153011925478/> > > Vendor: > ================= > www.trangosys.com <http://www.trangosys.com/> > > Products: > ====================== > All models. Newer versions use a different password. > > Vulnerability Type: > =================== > Default Root Account > > CVE Reference: > ============== > N/A > > Vulnerability Details: > ===================== > > Trango devices all have a built-in, hidden root account, with a default > password that is the same across many devices and software revisions. This > account is accessible via ssh and grants access to the underlying embedded > unix OS on the device, allowing full control over it. Recent software updates > for some models have changed this password, but have not removed this > backdoor. See source above for details on how the password was found. > > The particular password I found is 9 characters, all lowercase, no numbers: > "bakergiga" > Their support team informed me that there is a different password on newer > devices. > > The password I found works on the following devices: > > -Apex <= 2.1.1 (latest) > -ApexLynx < 2.0 > -ApexOrion < 2.0 > -ApexPlus <= 3.2.0 (latest) > -Giga <= 2.6.1 (latest) > -GigaLynx < 2.0 > -GigaOrion < 2.0 > -GigaPlus <= 3.2.3 (latest) > -GigaPro <= 1.4.1 (latest) > -StrataLink < 3.0 > -StrataPro - all versions? > > Impact: > The remote attacker has full control over the device, including shell access. > This can lead to packet sniffing and tampering, bricking the device, and use > in botnets. > > > Disclosure Timeline: > =================================== > Vendor Notification: October 7, 2016 > Public Disclosure: November 10, 2016 > > Exploitation Technique: > ======================= > Remote > > Severity Level: > ================ > Critical > >
