CVE-2016-10308
Summary
| CVE | CVE-2016-10308 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-03-30 07:59:00 UTC |
| Updated | 2025-04-20 01:37:25 UTC |
| Description | Siklu EtherHaul radios before 3.7.1 and 6.x before 6.9.0 have a built-in, hidden root account, with an unchangeable password that is the same across all devices. This account is accessible via both SSH and the device's web interface and grants access to the underlying embedded Linux OS on the device, allowing full control over it. |
Risk And Classification
Primary CVSS: v3.0 9.8 CRITICAL from [email protected]
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Problem Types: CWE-798 | n/a
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Primary | 9.8 | CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
CompleteIntegrity
CompleteAvailability
CompleteAV:N/AC:L/Au:N/C:C/I:C/A:C
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Siklu | Etherhaul-5500fd | - | All | All | All |
| Hardware | Siklu | Etherhaul 500tx | - | All | All | All |
| Hardware | Siklu | Etherhaul 60ghz V-band Radio | - | All | All | All |
| Hardware | Siklu | Etherhaul 70ghz E-band Radio | - | All | All | All |
| Hardware | Siklu | Etherhaul 70/80ghz Gigabit Radio | - | All | All | All |
| Hardware | Siklu | Etherhaul 70/80ghz Multi-gigabit E-band Radio | - | All | All | All |
| Operating System | Siklu | Etherhaul Firmware | 6.0 | All | All | All |
| Operating System | Siklu | Etherhaul Firmware | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| iancaling — Siklu EtherHaul Hidden ‘root’ Account... | af854a3a-2127-422b-91ae-364da2661108 | blog.iancaling.com | Exploit, Third Party Advisory |
| Siklu EtherHaul radios CVE-2016-10308 Insecure Default Password Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.