Sierra Handling Holes in AirLink ALEOS

Thursday, May 2, 2019 @ 02:05 PM gHale

Sierra Wireless has updates available to handle multiple vulnerabilities in its AirLink ALEOS, according to a report with NCCIC.

The vulnerabilities include a OS command injection, use of hard-coded credentials, unrestricted upload of file with dangerous type, cross-site scripting, cross-site request forgery, information exposure, and missing encryption of sensitive data.

RELATED STORIES
Rockwell Fixes CompactLogix 5370 Holes
Philips Mitigation Plan for Tasy EMR
Fujifilm Fix for Cassette Readers
Rockwell Mitigation Plan for Controllers

Successful exploitation of these remotely exploitable vulnerabilities, discovered by Carl Hurd and Jared Rittle of Cisco Talos, could allow attackers to remotely execute code, discover user credentials, upload files, or discover file paths. Public exploits are available and an attacker with low skill level could leverage the vulnerabilities.

Sierra Wireless reports the vulnerabilities affect the following AirLink ALEOS versions and products:
• LS300, GX400, GX440, and ES440: Version 4.4.8 and prior
• GX450 and ES450: All versions prior to 4.9.4
• MP70, MP70E, RV50, RV50X, LX40, and LX60: All versions prior to 4.12

In one vulnerability, a specially crafted authenticated HTTP request can inject arbitrary commands, resulting in remote code execution.

CVE-2018-406 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

In addition, activating SNMPD outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user. An attacker can activate SNMPD without any configuration changes to trigger this vulnerability.

CVE-2018-4062 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.2.

Also, a specially crafted authenticated HTTP request can upload a file, resulting in an executable, routable code upload to the web server.

CVE-2018-4063 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

In addition, a specially crafted HTTP ping request can cause reflected JavaScript to be executed and run on the user’s browser. An attacker can exploit this by convincing a user to click a link or embedded URL that redirects to the reflected cross-site scripting vulnerability.

CVE-2018-4065 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.1.

Also, a specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests through an authenticated user. Triggering this vulnerability may allow an attacker access to authenticated pages via an authenticated user.

CVE-2018-4066 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.8.

In another issue, a specially crafted authenticated HTTP request can cause an information leak, resulting in the disclosure of internal file paths.

CVE-2018-4067 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.1.

In addition, the ACEManager authentication functionality is delivered in plaintext XML to the web server. An attacker can listen to network traffic upstream from the device, which may allow access to credentials.

CVE-2018-4069 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.9.

The product sees use mainly in the commercial facilities, communications, emergency services, energy, government facilities, transportation systems, and water and wastewater systems sectors. It also sees action on a global basis.

Canada-based Sierra Wireless recommends users upgrade to the latest version of ALEOS for the products and versions below (Some updates are not yet available). For upgrade assistance contact an authorized AirLink reseller, Sierra Wireless sales, technical representative, or Sierra Wireless technical support.

• LS300, GX400, GX440, ES440: ALEOS 4.4.9 (Available by the end of this year)
• GX450, ES450ALEOS 4.9.4.p09 (Currently available)
• MP70, MP70E, RV50, RV50X, LX40, LX60: ALEOS 4.12 (Available by the end of June)

Sierra Wireless recommends users follow the actions outlined below:
• Ensure a strong password is set for the user account. For guidance on password strength, Sierra Wireless recommends the “memorized secret authenticator” guidelines in NIST SP800-63B.
• If ALEOS Application Framework (AAF) is enabled, ensure a strong password is set for the AAF User account.
• If Telnet or SSH is enabled, ensure a strong password is set for the console account.
• When connecting directly to ACEmanager:
– Use only HTTPS
– Utilize an up-to-date, modern web browser with built-in CSS and CSRF protection, such as Chrome, Firefox, or Edge

For more information, see the Sierra Wireless security advisory.

The following SNORT rules will detect exploitation attempts. Note that additional rules may end up released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to a Firepower Management Center or Snort.org.

Snort Rules: 48600, 48635, 48614 – 48621, 48747



Leave a Reply

You must be logged in to post a comment.