[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Cradlepoint vulnerabilities
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Cradlepoint vulnerabilities
- From: Todd Kelly via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
- Date: Thu, 8 Nov 2018 14:22:47 +0000
Hi,
This is a response to the Cradlepoint vulnerabilities posting by Crazy Owl on
Nov 5th.
We appreciate that CrazyOwl brought to our attention these vulnerabilities and
a coordinated disclosure that allowed us to address these issues and
communicate with our customers prior to public disclosure. We take security
very seriously, and took action as soon as we were notified. The specific steps
we’ve taken are:
1. Confirmed the vulnerabilities – August 28th
2. Began design and code changes to correct or avoid those vulnerabilities –
August 29th
3. Notified customers of the steps they needed to take to mitigate any risks
– October 5th
4. Released updated software that eliminated those vulnerabilities and
notified customers of the availability of that release – Nov 6th
As part of our response, we undertook an effort to formalize our vulnerability
handling processes, create a vulnerability notification process, and make it
straightforward for anyone to report a vulnerability. The results of this
effort can be seen on the new Cradlepoint Trust page
(https://cradlepoint.com/trust). That page contains the details of the
vulnerabilities described by CrazyOwl, as well as other past vulnerabilities,
any steps that customers should take to mitigate the risks of those
vulnerabilities, as well as available software releases.
3 of the 4 vulnerabilities exploit systems that have not change their default
passwords!
Best Regards,
Security@xxxxxxxxxxxxxxx
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/