Multiple Sierra Wireless AirLink Routers Open to Remote Code Execution

Critical flaws in the software of Sierra Wireless’ AirLink routers enable an array of malicious attacks.

Sierra Wireless is warning that additional AirLink router models, which are targeted toward IoT applications, are vulnerable to previously-disclosed critical flaws.

The vulnerabilities are part of the 11 critical bugs disclosed on Sierra Wireless’ AirLink ES450 LTE router last week – only now, Sierra Wireless has extended the impact of those flaws to 11 other router models that are using the ALEOS software.

Sierra Wireless has released fixes; users are encouraged to apply patches as soon as possible.

Sierra Wireless’ LTE AirLink routers are targeted toward embedded applications like transmitting data for fleets of vehicles (for example, in law enforcement settings, the routers collect data on whether a police car has engaged its lights and siren) and industrial machines (tracking the location of heavy equipment and assets for instance). ALEOS is the software powering these in-field devices, which enables users to collect and view data in real time.

Overall, the company patched seven vulnerabilities – including two critical flaws, and five medium-severity vulnerabilities stemming from the ALEOS software on the AirLink routers: “Successful exploitation of these vulnerabilities could allow attackers to remotely execute code, discover user credentials, upload files, or discover file paths,” according to a Thursday advisory.

Sierra Wireless said the following AirLink models (with the ALEOS software) are impacted: LS300, GX400, GX440, and ES440 (Version 4.4.8 and prior); GX450 and ES450 (All versions prior to 4.9.4); and MP70, MP70E, RV50, RV50X, LX40, and LX60 (All versions prior to 4.12).

The two most severe vulnerabilities are an OS command-injection flaw (CVE-2018-4061), and an unrestricted file upload glitch (CVE-2018-4063), both of which rank 9.1 out of 10 on the CVSS scale, making them critical in severity.

CVE-2018-4061 exists in the way the web server behind the routers, ACEManager, constructs OS commands – it incorrectly double-checks special elements that could modify the intended OS command for the router. That means an attacker could create a specially crafted authenticated HTTP request, which could then can inject arbitrary commands and result in remote code-execution.

Sierra wireless airlink

AirLink Router

“This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications,” according to notes on the vulnerability. “Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.”

CVE-2018-4063 meanwhile allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.

That means that an attacker could easily use a specially crafted authenticated HTTP request to then upload a file, resulting in an executable, routable code upload to the web server.

The routers also contain five medium-severity vulnerabilities. Those include a cross-site request forgery glitch, which may allow an attacker access to authenticated pages via an authenticated user (CVE-2018-4066); and a flaw that could activate hard-coded credentials (CVE-2018-4062), then allowing for the exposure of a privileged user. Another flaw could enable a specially crafted HTTP ping request to cause reflected JavaScript to be executed and run on the user’s browser (CVE-2018-4065).

The software also lacks encryption for some sensitive data (CVE-2018-4069) and contains an information-exposure flaw (CVE-2018-4067).

The vulnerabilities were first reported by Carl Hurd and Jared Rittle of Cisco Talos.

In May 2018, Sierra Wireless also patched two critical vulnerabilities for its range of routers that would leave the enterprise devices helpless to an array of remote threats.

 

Suggested articles