Login Sign Up

CVE-2015-0936

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2015-0936 allows remote attackers to gain SSH access to Ceragon FibeAir IP-10 devices using a default SSH private key that corresponds to a public key in the authorized_keys file for the mateidu user. This affects all Ceragon FibeAir IP-10 devices with default configurations, enabling complete system compromise.

💻 Affected Systems

Products:
  • Ceragon FibeAir IP-10
Versions: All versions with default configuration
Operating Systems: Embedded OS on FibeAir devices
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices where the default SSH key configuration hasn't been changed.

📦 What is this software?

Fibeair Ip 10 Firmware by Ceragon

View all CVEs affecting Fibeair Ip 10 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to reconfigure network devices, intercept traffic, disable services, or use devices as pivot points into internal networks.

🟠

Likely Case

Unauthorized SSH access leading to configuration changes, data exfiltration, or device disruption.

🟢

If Mitigated

No impact if default SSH keys have been removed or changed.

🌐 Internet-Facing: HIGH - Devices exposed to the internet can be directly attacked without authentication.
🏢 Internal Only: HIGH - Internal attackers or malware with network access can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only the default private key which has been publicly disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

1. Remove the default public key from /home/mateidu/.ssh/authorized_keys
2. Generate new SSH key pairs for authorized users
3. Disable SSH access for mateidu user if not needed

🔧 Temporary Workarounds

Remove Default SSH Key

linux

Delete the default public key from the authorized_keys file

rm /home/mateidu/.ssh/authorized_keys
chmod 600 /home/mateidu/.ssh/authorized_keys

Disable SSH for mateidu

linux

Remove SSH access for the vulnerable user account

passwd -l mateidu
usermod -s /sbin/nologin mateidu

🧯 If You Can't Patch

  • Implement network segmentation to isolate FibeAir devices from untrusted networks
  • Use firewall rules to restrict SSH access to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check if /home/mateidu/.ssh/authorized_keys contains the default public key (available in public disclosures)

Check Version:

show version (device-specific command)

Verify Fix Applied:

Verify authorized_keys file is empty or contains only authorized public keys, and test SSH access with default private key fails

📡 Detection & Monitoring

Log Indicators:

  • Failed SSH authentication attempts followed by successful mateidu login
  • SSH sessions from unexpected IP addresses

Network Indicators:

  • SSH connections to port 22 from suspicious sources
  • Unusual outbound traffic from FibeAir devices

SIEM Query:

source="fibeair" AND event="ssh_login" AND user="mateidu"

📊 Metadata

CVE ID: CVE-2015-0936
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-320
Published: June 1, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-0936, you might also want to check these:

CVE-2015-4166 9.8

This vulnerability in Cloudera Key Trustee Server allows attackers to potentially compromise encrypt...

Same vulnerability type (CWE-320)
CVE-2016-10421 9.8

This vulnerability in Qualcomm Snapdragon chipsets used in Android devices fails to properly clear c...

Same vulnerability type (CWE-320)
CVE-2019-5672 9.1

This vulnerability affects NVIDIA Jetson TX1 and TX2 devices running Linux for Tegra (L4T) where def...

Same vulnerability type (CWE-320)