Executive Summary

Title AirSpan WiMAX ProST web management interface authentication bypass vulnerability
Name VU#248372 First vendor Publication 2008-03-06
Vendor VU-CERT Last vendor Modification 2008-04-10
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#248372

AirSpan WiMAX ProST web management interface authentication bypass vulnerability


The AirSpan WiMAX ProST contains an authentication bypass vulnerability that could allow an unauthenticated, remote attacker to make arbitrary configuration changes.

I. Description

The AirSpan WiMAX ProST is customer premise equipment that provides WiMAX wireless networking. The web management interface of the Airspan WiMax ProST does not properly authenticate HTTP POST requests.

II. Impact

By sending HTTP POST requests to a vulnerable ProST device, a remote, unauthenticated attacker may be able to make arbitrary configuration changes. The attacker could potentially disable the device by uploading an invalid firmware image.

III. Solution


From AirSpan WiMAX product bulletin PB/ASM/2008/016 Rev A:

    A new version of SS has been made available as a SW patch to solve the above issue. This new version forms System Release 6.5.2 & 6.6.2 for MicroMAX and HiperMAX systems respectively.

Restrict access

Restrict access to the web management interface to trusted networks. If possible, configure management and transit networks for separate VLANs, or restrict access to the device using IP access lists.

Systems Affected

VendorStatusDate Updated
Wind River Systems, Inc.Unknown12-Mar-2008




Thanks to Arthur Lashin for reporting this vulnerability and Francis Lacoste-Cordeau for information that was used in this report..

This document was written by Ryan Giobbi.

Other Information

Date Public03/06/2008
Date First Published03/06/2008 12:00:20 PM
Date Last Updated04/10/2008
CERT Advisory 
CVE NameCVE-2008-1262
US-CERT Technical Alerts 
Document Revision31

Original Source

Url : http://www.kb.cert.org/vuls/id/248372

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-287 Improper Authentication

CPE : Common Platform Enumeration

Hardware 1

Open Source Vulnerability Database (OSVDB)

Id Description
43029 Airspan WiMAX ProST Administration Panel Authentication Bypass