Holes in Sierra Wireless Gateways

Friday, July 1, 2016 @ 03:07 PM gHale


There is a public report of three remotely exploitable vulnerabilities affecting the Sierra Wireless AirLink Raven XE and XT gateways, according to a report with ICS-CERT.

The affected products allow unauthenticated access to directories on the system, which may allow remote file upload, download, and system reboot, according to this report. In addition, the affected products also contain a cross-site request forgery vulnerability that may make it possible for an attacker to trick a user into making an unintentional request to a web server, which is treated as an authenticated request, by accessing a malicious URL or downloading a malicious file. The public report also indicates the affected devices are vulnerable to credential sniffing, which could be used to log into the system.

RELATED STORIES
Meinberg Clears NTP Time Server Issues
Unitronics Mitigates VisiLogic Hole
Rockwell Fixes Switch Vulnerability
Advantech Clears ActiveX Holes

The public report released after the independent researcher, Karn Ganeshen, collaborated with the affected vendor to validate the vulnerabilities and identify mitigation procedures.

ICS-CERT contacted the affected vendor, and the vendor has validated the reported vulnerabilities. ICS-CERT issued an alert to provide notice of the public report and to identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

The Sierra Wireless Raven XE and XT wireless gateways see use in the following industries and applications: Utilities, manufacturing, automation, oil and gas, Ethernet-based SCADA, and telemetry.

Sierra Wireless said this past March they were going to discontinue the sale of Raven XE and XT gateways on August 31. However, limited telephone support will be available until December 30, 2019.

Sierra Wireless said the Raven XE and XT products are end of life and no new firmware releases will be made available.

In order to mitigate the risks presented by the identified vulnerabilities and other security concerns, Sierra Wireless recommends Raven XE and XT users follow best practices, which include:
• To minimize the risk associated with nonrandom default passwords: Change the default password on all equipment you purchase from any source.
• Use firewall configuration options to disable user access on all nonessential interfaces, in particular the cellular WAN interface.
• Take reasonable steps to physically secure local interfaces (e.g., Deploy in a lockbox or restricted access facility).
• Do not enable the port forwarding feature to forward traffic to devices that operate unauthenticated or otherwise insecure network interfaces.
• To minimize the risk associated with lack of anti-cross-site request forgery tokens in AceManager: Do not operate AceManager from a client device that has simultaneous access to the Raven device and the public Internet, where most cross-site request forgery attacks are found.
• To minimize the risk associated with sensitive information exposed via HTTP GET operations through the AceManager interface, and unauthenticated access to directories: Disable AceManager access via the cellular WAN interface, particularly when the device is operating on public networks.

For additional information about these vulnerabilities or the recommendations provided, email the Sierra Wireless’ security team.