Researchers are detailing 21 recently patched vulnerabilities that impact certain Sierra Wireless routers, including one critical-severity and nine high-severity flaws.
The flaws are in Sierra Wireless AirLink routers and stem from various open source components used in the routers, like an open source captive portal called OpenNDS and an open source XML document parser called TinyXML, which is also an abandoned project. If exploited, the bugs can have several potential impacts, from allowing attackers to steal credentials to enabling them to take control of routers via code injection.
The routers that are impacted by these flaws are used for IoT and operational technology applications, and researchers with Forescout who discovered the flaws said that the devices are leveraged across a wide range of critical infrastructure sectors, including manufacturing, healthcare, government and commercial facilities, energy and power distribution, transportation, water and wastewater systems, retail, emergency services and vehicle tracking.
“Attackers could leverage some of the new vulnerabilities to take full control of an OT/IoT router in critical infrastructure and achieve different goals, such as network disruptions, espionage, lateral movement and further malware deployment,” said researchers with Forescout in the Wednesday report. “For instance, attackers could take control of a router in a healthcare facility to attack devices of patients, guests or staff and distribute further malware.”
The most severe flaw (CVE-2023-41101), which has a CVSS score of 9.6 out of 10, stems from OpenNDS and the NoDogSplash captive portal not validating the length of the query strings of pre-authenticated GET requests. The flaw can allow for denial-of-service or to execute arbitrary code.
According to Daniel dos Santos, Forescout's head of research, in order to exploit CVE-2023-41101 an attacker must be able to interact with the captive portal running on the router, "which means that they need to be in range of the WiFi network guarded by the portal or compromise another device that can connect to that network."
"Once they can interact with the portal, there is no need for authentication or any other pre-condition," said dos Santos. "For CVE-2023-41101, only if they compromise another device that can connect to the router via WiFi, otherwise they need to be in proximity of the router. The vulnerabilities that do not affect the captive portal can be exploited remotely."
“These devices not only have critical vulnerabilities, but more often than not they are left unpatched."
Another flaw (CVE-2023-38316), which has a CVSS score of 8.8, allows attackers to execute arbitrary OS commands when the custom URL unescape callback is enabled on OpenNDS. They can do so by inserting them into the URL portion of the GET request, according to researchers.
Other flaws impact the ALEOS Application Framework from Sierra Wireless, a lineup of services, components and applications built on top of an embedded Linux distribution. For instance, a functionality for technical support specialists in ALEOS that allows diagnostic root shell access on devices includes a hardcoded root password hash (CVE-2023-40463). If the diagnostic root shell access is enabled, attackers may be able to recover this password and gain that root access, said researchers. Researchers also noted that several versions of ALEOS are shipped with a default SSL private key and certificate for ACEmanager (CVE-2023-40464), a web application made by Sierra Wireless that is used to configure and monitor wireless routers.
“Obtaining these artifacts may enable attackers to impersonate legitimate ACEmanager applications that rely on the default SSL key and certificate, and to sniff/spoof encrypted traffic between ACEmanager applications and their clients,” said researchers.
Another flaw that stems from TinyXML also impacts ACEmanager (CVE-2023-40462). The high-severity flaw results in the application being terminated when parsing certain malformed XML documents, which could lead to a “limited DoS” as ACEmanager is automatically restarted, said researchers.
“Attackers can prolong the DoS by repeatedly sending malformed XML documents,” said researchers. “All logged in users will be logged out as a side effect of the attack. Attackers do not need to be authenticated to exploit the issue.”
The coordinated response to these flaws has involved patches from Sierra Wireless, the OpenNDS project and the Nodogsplash project, and OpenNDS 10.1.3, Nodogsplash 5.0.2 and Sierra Wireless’ ALEOS 4.17.0/ ALEOS 4.9.9 releases (from mid-October) all contain fixes for various bugs. Meanwhile, TinyXML is an abandoned project that has not been maintained for almost a decade, so researchers said the upstream flaws will not be fixed and must be addressed instead by downstream impacted vendors.
In addition to patching, researchers recommend that security teams change the default SSL certificate for Sierra Wireless routers (and any other device on their network relying on default certificates) and disable captive portals and services if not needed like Telnet and SSH.
“These devices not only have critical vulnerabilities, but more often than not they are left unpatched,” said Forescout researchers in their report. “Less than 10 percent of routers seen on Shodan can be confirmed patched against previous vulnerabilities. While unpatched vulnerabilities in low-level OT assets are not surprising, given the difficulties in patching those devices and the - often wrong - assumptions that they are isolated, critical vulnerabilities in edge OT/IOT devices may be exposing the crown jewels of critical infrastructure to attackers and could be addressed more easily.”