Updates for Sierra Wireless AirLink Holes

Friday, April 26, 2019 @ 02:04 PM gHale

Updates are available to handle exploitable vulnerabilities in the Sierra Wireless AirLink ES450, an LTE gateway designed for distributed enterprises, like industrial control systems, researchers said.

These flaws present a number of attack vectors, and could allow them to remotely execute code on the victim machine, change the administrator’s password and expose user credentials, among other scenarios, said Carl Hurd and Jared Rittle of Cisco Talos who discovered the issues.

RELATED STORIES
‘Sea Turtle’ Targets Energy Firms
Cyber Incident Response Plans Lacking: Report
IT Rate of Change Accelerating
Digital Doppelgangers can Copy ‘Digital Masks’

The majority of these vulnerabilities exist in ACEManager, the web server included with the ES450. ACEManager is responsible for the majority of interactions on the device, including device reconfiguration, user authentication and certificate management.

Cisco Talos worked with Sierra Wireless to ensure these issues are resolved and that an update is available for affected customers.

Sierra Wireless confirmed multiple devices are affected by various subsets of these vulnerabilities including:
• GX400
• ES/GX440
• LS300
• ES/GX450
• MP70
• RV50/50X
• LX40/60X

In one issue, an exploitable command injection vulnerability exists in the ACEManager iplogging.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can inject arbitrary commands, resulting in arbitrary command execution. An attacker can send an authenticated HTTP request to trigger this vulnerability.

In addition, a hard-coded credentials vulnerability exists in the SNMPD function of the Sierra Wireless AirLink ES450 FW 4.9.3. Activating SNMPD outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user. An attacker can activate SNMPD without any configuration changes to trigger this vulnerability.

Remote Code Execution
Also, an exploitable remote code execution vulnerability exists in the upload.cgi function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the web server. An attacker can make an authenticated HTTP request to trigger this vulnerability.

In addition, an exploitable unverified password change vulnerability exists in the ACEManager upload.cgi function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an unverified device configuration change, resulting in an unverified change of the `user` password on the device. An attacker can make an authenticated HTTP request to trigger this vulnerability.

In another issue, an exploitable cross-site scripting vulnerability exists in the ACEManager ping_result.cgi function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP ping request can cause reflected JavaScript to end up executed and run on the victim’s browser. An attacker can exploit this by convincing a victim to click a link or embedded URL that redirects to the reflected cross-site scripting vulnerability.

In addition, an exploitable cross-site request forgery vulnerability exists in the ACEManager function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests being requested through an authenticated user. Triggering this vulnerability may allow an attacker to get authenticated pages via an authenticated user.

Also, an exploitable information disclosure vulnerability exists in the ACEManager template_load.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an information leak, resulting in the disclosure of internal paths and files. An attacker can make an authenticated HTTP request to trigger this vulnerability.

In another hole, an exploitable information disclosure vulnerability exists in the ACEManager function of Sierra Wireless AirLink ES450 FW 4.9.3. An HTTP request can result in the disclosure of the default configuration for the device. An attacker can send an unauthenticated HTTP request to trigger this vulnerability.

Information Disclosure
Also, an information disclosure vulnerability exists in the ACEManager authentication functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The ACEManager authentication functionality is done in plaintext XML to the web server. An attacker can listen to network traffic upstream from the device to capitalize on this vulnerability.

In addition, an exploitable information disclosure vulnerability exists in the ACEManager Embedded_Ace_Get_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause information disclosure, resulting in the exposure of confidential information, including, but not limited to, plain text passwords and SNMP community strings. An attacker can make an authenticated HTTP request, or run the binary, to trigger this vulnerability.

Finally, an exploitable permission assignment vulnerability exists in the ACEManager Embedded_Ace_Set_Task.cgi function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an arbitrary setting to write, resulting in the unverified changes to any system setting. An attacker can make an authenticated HTTP request, or run the binary as any user, to trigger this vulnerability.



Leave a Reply

You must be logged in to post a comment.