COMMAND

    WaveLink

SYSTEMS AFFECTED

    Wireless WaveLink (Possibly Wavenet) 2458 family Command Module

PROBLEM

    Michael Grant found following.  Quick description:

        1. Poor Authentication rules employed in WaveLink
        2. Username and Password sent in Clear Text to Command Module.

    Michael had the opportunity of  playing with some of the  Wavelink
    equipment.   Namely the Wavelink  2458.  He noticed that the  very
    powerful HTML config (cgi?) engine required a password/username to
    authenticate users before they could proceed.

    The problem arises during the various get requests that follow:
    1. Both the username AND password are transmitted in clear text as
       parameters to the management system.
    2. These  can  easily  be  "sniffed"  out by any promiscuous  mode
       device attached to the LAN.

    This  unfortunately  compromises  the  integrity  of  the Wavelink
    units.  Further  more, as you  are most probably  aware, there are
    many freely available "scripts" that will attempt to "brute force"
    the username/password  combination.   Success can  then be  judged
    by the contents of the document returned.

SOLUTION

    Vendor  contacted  and  responded.   No  attempt  to either notify
    customers or release a patch.  Possible solutions are as follows:
    1. In the config, limit  addresses that are allowed to  connect to
       the unit;
    2. Have a maximum number username/password combinations per IP.
    3. Employ some form of encryption of either username or password -
       hopefully both.  Perhaps a modified ssh/ssl connection?