A set of 21 newly found vulnerabilities affect Sierra OT/IoT routers and threaten crucial infrastructure with distant code execution, unauthorized entry, cross-site scripting, authentication bypass, and denial of service assaults.
The failings found by Forescout Vedere Labs have an effect on Sierra Wi-fi AirLink mobile routers and open-source elements like TinyXML and OpenNDS (open Community Demarcation Service).
AirLink routers are extremely regarded within the subject of commercial and mission-critical functions resulting from high-performance 3G/4G/5G and WiFi and multi-network connectivity.
Varied fashions are utilized in complicated situations like passenger WiFi in transit techniques, automobile connectivity for emergency companies, long-range gigabit connectivity to subject operations, and numerous different performance-intensive duties.
Forescout says Sierra routers are present in authorities techniques, emergency companies, vitality, transportation, water and wastewater amenities, manufacturing items, and healthcare organizations.
Flaws and affect
Forescout’s researchers found 21 new vulnerabilities in Sierra AirLink mobile routers and the TinyXML and OpenNDS elements, that are a part of different merchandise, too.
Solely one of many security points has been rated crucial, eight of them obtained a excessive severity rating, and a dozen current a medium danger.
Essentially the most noteworthy vulnerabilities are summarized under:
- CVE-2023-41101 (Distant Code Execution in OpenDNS – crucial severity rating of 9.6)
- CVE-2023-38316 (Distant Code Execution in OpenDNS – excessive severity rating of 8.8)
- CVE-2023-40463 (Unauthorized Entry in ALEOS – excessive severity rating of 8.1)
- CVE-2023-40464 (Unauthorized Entry in ALEOS – excessive severity rating of 8.1)
- CVE-2023-40461 (Cross Website Scripting in ACEmanager – excessive severity rating of 8.1)
- CVE-2023-40458 (Denial of Service in ACEmanager – excessive severity rating of 7.5)
- CVE-2023-40459 (Denial of Service in ACEmanager – excessive severity rating of 7.5)
- CVE-2023-40462 (Denial of Service in ACEmanager associated to TinyXML – excessive severity rating of 7.5)
- CVE-2023-40460 (Cross Website Scripting in ACEmanager – excessive severity rating of 7.1)
For at the very least 5 of the above flaws, attackers don’t require authentication to use them. For a number of others affecting OpenNDS, authentication is probably going not required, as widespread assault situations contain purchasers trying to hook up with a community or service.
Based on the researchers, an attacker might exploit among the vulnerabilities “to take full management of an OT/IoT router in crucial infrastructure.” The compromise might result in community disruption, allow espionage, or transfer laterally to extra vital property, and malware deployment.
“Aside from human attackers, these vulnerabilities can be utilized by botnets for computerized propagation, communication with command-and-control servers, in addition to performing DoS assaults,” the researchers clarify.
After working a scan on Shodan search enging for internet-connected units, Forescout researchers discovered over 86,000 AirLink routers uncovered on-line in crucial organizations engaged in energy distribution, automobile monitoring, waste administration, and nationwide well being companies.
About 80% of the uncovered techniques are in america, adopted by Canada, Australia, France, and Thailand.
Of these, fewer than 8,600 have utilized patches to vulnerabilities disclosed in 2019, and greater than 22,000 are uncovered to man-in-the-middle assaults resulting from utilizing a default SSL certificates.
Remediation recommendation
The advisable motion for directors is to improve to the ALEOS (AirLink Embedded Working System) model 4.17.0, which addresses all flaws, or at the very least ALEOS 4.9.9, which incorporates all fixes apart from these impacting OpenNDS captive portals that set a barrier between the general public web and a neighborhood space community.
The OpenNDS venture has additionally launched security updates for the vulnerabilities impacting the open-source venture, with model 10.1.3.
Observe that TinyXML is now abandonware, so there will likely be no fixes for the CVE-2023-40462 vulnerability that impacts the venture.
Forescout additionally recommends taking the next further actions for enhanced safety:
- Change default SSL certificates in Sierra Wi-fi routers and comparable units.
- Disable or prohibit non-essential companies like captive portals, Telnet, and SSH.
- Implement an internet software firewall to guard OT/IoT routers from internet vulnerabilities.
- Set up an OT/IoT-aware IDS to watch exterior and inside community site visitors for security breaches.
Forescout has launched a technical report that explains the vulnerabilities and the situations that permit exploiting them.4
Based on the corporate, risk actors are more and more focusing on routers and community infrastructure environments, launching assaults with customized malware that use the units for persistence and espionage functions.
For cybercriminals, routers are often a method to proxy malicious site visitors or to extend the scale of their botnet.
