Cyber Security Researchers at CTG disclosed a dozen vulnerabilities affecting Sierra Wireless AirLink gateways and routers, including several serious flaws. Some of the flaws could be exploited to execute arbitrary code, modify passwords, and change system settings.
Sierra Wireless AirLink gateways and routers are widely used in enterprise environments to connect industrial equipment, smart devices, sensors, point-of-sale (PoS) systems, and Industrial Control systems (ICSs).
Several exploitable vulnerabilities exist in the Sierra Wireless AirLink ES450, an LTE gateway designed for distributed enterprise, such as retail point-of-sale or industrial control systems. These flaws present a number of attack vectors for a malicious actor, and could allow them to remotely execute code on the victim machine, change the administrator’s password and expose user credentials, among other scenarios.
Exploit CVE-2018-10251 effect Sierra Wireless AirLink router models GX400, GX440, ES440, and LS300 routers with firmware before 4.4.7 and GX450, ES450, RV50, RV50X, MP70, and MP70E routers with firmware before 4.9.3 and could give an unauthorised person the ability to execute arbitrary code and gain full control of a system, including issuing commands with root privileges.
The other exploit, CVE-2017-15043, is associated with the same routers, but with different firmware packages. In this case, AirLink GX400, GX440, ES440, and LS300 routers with firmware before 4.4.5 and GX450, ES450, RV50, RV50X, MP70, and MP70E routers with firmware before 4.9 are involved. If left unpatched and exploited by an attacker will have the ability to perform the same tasks.
Most of the issues reside in ACEManager, the web server included with the ES450.
Cyber Security Experts discovered and rated the three flaws classified as “critical” (CVSS score 9.9) that can be exploited by an attacker to make changes to any system settings and execute arbitrary commands and code. An authenticated attacker could exploit the flaw by sending specially crafted HTTP requests to the targeted device.
The other three flaws, rated as “high severity,” could be exploited by an authenticated attacker to change the user password and obtain plain text passwords and other sensitive information. One of the issues affects the SNMPD function of the Sierra Wireless AirLink ES450 and it can be exploited by attackers to activate hardcoded credentials on a device, resulting in the exposure of a privileged user.
The remaining issues have been classified as “medium severity,” they include cross-site request forgery (CSRF), cross-site scripting (XSS), and information disclosure issues. Sierra Wireless has yet to release a security advisory for these vulnerabilities.