Critical Flaws in Sierra Wireless 5G Gateway Allow RCE, Command Injection

发布时间：2019-04-28 15:30:08

A 5G wireless gateway tailored for industrial internet of things (IoT), retail point-of-sale and enterprise redundancy applications is riddled with vulnerabilities, include two critical bugs that allow remote code-execution (RCE) and arbitrary command-injection.

The Sierra Wireless AirLink ES450 LTE gateway (version 4.9.3) has 11 different bugs, which could be exploited for RCE, uncovering user credentials (including the administrator’s password) and other scenarios, according to Cisco Talos, which found the issues. Sierra Wireless has issued an update and administrators are encouraged to apply it.

“The majority of these vulnerabilities exist in ACEManager, the web server included with the ES450,” Cisco explained in <a target="_blank" rel="noopener noreferrer">an advisory</a>&nbsp; on Thursday. “ACEManager is responsible for the majority of interactions on the device, including device reconfiguration, user authentication and certificate management.”
<a><img src="https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg" alt=""></a>&nbsp;
The most serious of the flaws is a critical RCE vulnerability (<a target="_blank" rel="noopener noreferrer">CVE-2018-4063</a>&nbsp;), CVSS score of 9.9, in the upload.cgi function of the ACEManager, which allows an attacker to use a specially crafted HTTP request to upload executable code, to be routed to the web server.
“When uploading template files, you can specify the name of the file that you are uploading,” according to Cisco. “There are no restrictions in place that protect the files that are currently on the device, used for normal operation. If a file is uploaded with the same name of the file that already exists in the directory, then we inherit the permissions of that file.”
Further, since ACEManager is running as root, any executables that are run by those files will be running also as root. “By uploading a small wrapper, we can upload arbitrary code to the device and run by simply navigating to the web page through the browser,” Cisco noted.
Also in the upload.cgi function, an unverified password change vulnerability (<a target="_blank" rel="noopener noreferrer">CVE-2018-4064</a>&nbsp;) opens the door to an unverified device configuration change, resulting in an unverified change of the `user` password on the device.
In both cases, an attacker exploiting the upload.cgi bugs can make an authenticated HTTP request to trigger the vulnerability.
There’s also a critical command-injection vulnerability (<a target="_blank" rel="noopener noreferrer">CVE-2018-4061</a>&nbsp;), CVSS score of 9.9, which exists in the ACEManager iplogging.cgi functionality. An authenticated attacker can send a specially crafted HTTP request to inject arbitrary commands, resulting in arbitrary command execution as root. This bug most likely also affects the also most likely affects the AirLink GX450 product, Cisco added.
Another problem arises from having hard-coded credentials (<a target="_blank" rel="noopener noreferrer">CVE-2018-4062</a>&nbsp;) in the SNMPD function of the gateway.
“Activating SNMPD outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user,” according to Cisco. “An attacker can activate SNMPD without any configuration changes to trigger this vulnerability.”
Meanwhile, there are four information-disclosure vulnerabilities. For one, the ACEManager authentication functionality is done in plaintext XML to the web server (<a target="_blank" rel="noopener noreferrer">CVE-2018-4069</a>&nbsp;), so an attacker can listen to network traffic upstream from the device to sniff out credentials.
The other three (<a target="_blank" rel="noopener noreferrer">CVE-2018-4067</a>&nbsp;, <a target="_blank" rel="noopener noreferrer">CVE-2018-4068</a>&nbsp; and <a target="_blank" rel="noopener noreferrer">CVE-2018-4070/CVE-2018-4071</a>&nbsp;) can expose internal paths and files; the default configuration for the device; or plain text passwords and SNMP community strings. An attacker can send an unauthenticated HTTP request to trigger any of these.
Other bugs include a permission assignment vulnerability (<a target="_blank" rel="noopener noreferrer">CVE-2018-4072/CVE-2018-4073</a>&nbsp;), a cross-site scripting (CSS) vulnerability (<a target="_blank" rel="noopener noreferrer">CVE-2018-4065</a>&nbsp;) and a cross-site request forgery (CSRF) vulnerability (<a target="_blank" rel="noopener noreferrer">CVE-2018-4066</a>&nbsp;).

The gateway is billed as a “a reliable, secure LTE gateway,” and is one of the first-to-market to capitalize on the deployment of next-generation 5G mobile networks, which are expected to support <a target="_blank" rel="noopener noreferrer">a whole raft of new use cases</a>&nbsp;, especially in the industrial IoT space. But as these flaws illustrate, vulnerabilities come with any new territory.

“History has shown us that when we expand our computing power and connectivity, we open up a new landscape for attackers to use against us, with prime examples of this being the cloud and connected IoT devices,” Steve McGregory, senior director of application and threat intelligence at Ixia, told Threatpost. He added, “We are racing into 5G just as we did with IoT and the cloud…if that trend is to continue, then we must plan and prepare.”

原文 / From https://threatpost.com/critical-flaws-sierra-wireless-5g/144142/