NetComm Fixes Wireless Router Holes

Thursday, August 9, 2018 @ 07:08 PM gHale

NetComm Wireless created new firmware to mitigate multiple vulnerabilities in its 4G LTE Light Industrial M2M Router, according to a report with NCCIC.

The remotely exploitable vulnerabilities are information exposure, cross-site request forgery, cross-site scripting, and information exposure through directory listing.

RELATED STORIES
Crestron Updates TSW-X60, MC3 Firmware
Delta Electronics Fixes 2 Holes
Medtronic Not Updating Insulin Pump Holes
Medtronic Fixing Patient Monitor

Successful exploitation of these vulnerabilities, discovered by Aditya K. Sood, could allow for the exposure of sensitive information.

A cellular router 4G LTE Light Industrial M2M Router (NWL-25) with firmware 2.0.29.11 and prior suffer from the issues.

In one vulnerability, the device allows access to configuration files and profiles without authenticating the user. 

CVE-2018-14782 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, a cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely. 

CVE-2018-14783 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

Also, the device is vulnerable to several cross-site scripting attacks, allowing a remote attacker to run arbitrary code on the device.

CVE-2018-14784 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, the directory of the device is listed openly without authentication. 

CVE-2018-14785 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

The product sees use mainly in the communications sector, but on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Australia-based NetComm Wireless released a new firmware version to mitigate the vulnerabilities. Affected users can click here to download the firmware.



Leave a Reply

You must be logged in to post a comment.