Sierra Wireless routers are at risk of hacking due to 21 new vulnerabilities, including one critical vulnerability, disclosed by researchers Wednesday.
Sierra Wireless AirLink cellular routers are among the most popular operational technology/Internet of Things (OT/IoT) routers used in critical infrastructure sectors, which may be subject to denial-of-service (DoS), remote code execution (RCE) and credential-stealing attacks due to the flaws. At least 86,000 vulnerable routers are exposed online, according to the Forescout Vedere Labs researchers who discovered the bugs.
Open-source software components OpenDNS and TinyXML are the underlying source of 15 of the Sierra router vulnerabilities. Security updates are available from Sierra Wireless and OpenDNS to patch the bugs. TinyXML is an abandoned project with no updates in nearly a decade, highlighting security challenges in the software supply chain.
“There is no direct evidence of current exploitation of these new flaws, but this type of perimeter device is a common target for threat actors,” said Daniel dos Santos, head of security research at Forescout Vedere Labs, in a statement to SC Media.
DoS, malware, unauthorized access endanger vulnerable routers
One critical vulnerability, nine high-severity bugs and 11 of medium severity were discovered in the AirLink Enterprise Operating System (ALEOS) software embedded in most Sierra Wireless AirLink routers, according to the Forescout report.
Three ALEOS components were affected: ACEmanager, a Sierra Wireless web application used to configure and monitor wireless router states; OpenDNS, an open-source captive portal used when the “Simple Captive Portal” is configured through ACEmanager; and TinyXML, an open-source XML parser whose source code was included in one of the libraries used by ACEmanager.
DoS could result from 10 of the vulnerabilities due to ACEmanager or OpenDNS crashing. NULL-pointer dereference when receiving incomplete XML documents or GET requests is the root of most of these bugs.
A flaw in TinyXML is responsible for one bug that causes a crash when parsing certain malformed XML documents, which also has the effect of logging out all logged-in users. Additionally, certain malformed XML documents can trigger an infinite loop in ACEmanager, causing a crash that requires the affected device to be manually restarted. Attackers could cause DoS by repeatedly injecting malformed documents and requests; in many cases, authentication is not required for the flaw to be exploited.
RCE and cross site scripting (XSS) of malware is possible via eight of the vulnerabilities, including a critical buffer overflow bug in OpenNDS. This vulnerability, tracked as CVE-2023-41101, is due to OpenNDS not validating the length of the query string in pre-authenticated GET requests, enabling arbitrary code execution.
“An attacker must be able to interact with the captive portal running on the router, which means that they need to be in range of the WiFi network guarded by the portal or compromise another device that can connect to that network,” dos Santos explained. “Once they can interact with the portal, there is no need for authentication or any other pre-condition."
Unauthorized access and authentication bypass risks are found in the other vulnerabilities outlined. Hardcoded passwords for diagnostic root shell access and default SSL private keys and certificates make it easier for hackers to leverage social engineering to infiltrate and persist on devices, the researchers said. Additionally, the use of a default FAS key in OpenDNS allows users to bypass the splash page and authenticate directly.
Router security risks for manufacturing, healthcare facilities
Sierra Wireless AirLink cellular routers connect critical OT/IoT devices to the internet, such as manufacturing machinery, surveillance cameras and medical devices. AirLink routers provide connectivity to power plants, water systems, first responder communication systems, transit authorities, manufacturing plants and more, according to the Sierra Wireless website.
Infrastructure cyberattack scenarios were outlined in the Forescout report. For example, a guest WiFi network with a captive portal provided by a Sierra Wireless AirLink router at a temporary health facility could be used as an access point for a nearby hacker to deploy malicious code via critical bug CVE-2023-41101.
Gaining control of the router through this method can facilitate further infection of connected devices such as medical devices and IT workstations containing patient records. Other exploits can be used to avoid detection by crashing ACEmanager. This attack could be conducted remotely if a device on the network is already compromised.
Forescout noted the latest security updates in ALEOS 4.17.0, ALEOS 4.9.9 and OpenNDS 10.1.3 address all 21 vulnerabilities outlined in the report. For abandoned third-party components like TinyXML, it is necessary for vendors like Sierra to create their own downstream fixes, as was done in this case, dos Santos noted.
In addition to updating their devices to the latest software versions, the Forescout team also made the follow recommendations for cybersecurity teams to protect their OT/IoT routers.
- Change the default certificates of routers and other devices on your network
- Disable or limit access to captive portals and services like Telnet and SSH where possible
- Consider deploying web application firewalls in front of OT/IoT routers
- Use intrusion detection systems that are OT/IoT aware
