Researchers have found flaws in a wireless gateway product that could allow hackers to run remote code-execution (RCE) and arbitrary command-injection attacks.
According to a blog post by researchers at Cisco Talos, the Sierra Wireless AirLink ES450 LTE gateway (version 4.9.3) has 11 vulnerabilities. These flaws present a number of attack vectors for a malicious actor and could allow them to remotely execute code on the victim machine, change the administrator’s password and expose user credentials, among other scenarios.
Researchers said that most of the flaws exist in ACEManager, the web server included with the ES450. ACEManager is responsible for the majority of interactions on the device, including device reconfiguration, user authentication and certificate management.
The worst flaw is a critical RCE vulnerability (CVE-2018-4063). The enables a hacker to use a specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the web server. An attacker can make an authenticated HTTP request to trigger this vulnerability.
There is also an unverified password change vulnerability (CVE-2018-4064) in the upload.cgi function. A specially crafted HTTP request can cause an unverified device configuration change, resulting in an unverified change of the 'user' password on the device. An attacker can make an authenticated HTTP request to trigger this vulnerability.
A critical command-injection vulnerability (CVE-2018-4061) exists in the ACEManager iplogging.cgi functionality. A specially crafted HTTP request can inject arbitrary commands, resulting in arbitrary command execution. An attacker can send an authenticated HTTP request to trigger this vulnerability.
As well as these bugs, there are four information-disclosure vulnerabilities. CVE-2018-4069 is an information disclosure vulnerability exists in the ACEManager authentication functionality of Sierra Wireless AirLink ES450 FW 4.9.3. "The ACEManager authentication functionality is done in plaintext XML to the web server. An attacker can listen to network traffic upstream from the device to capitalize on this vulnerability," said researchers.
Three other flaws could expose internal paths and files; the default configuration for the device; or plain text passwords and SNMP community strings. An attacker can make an authenticated HTTP request, or run the binary, to trigger these vulnerabilities.
Paul Ducklin, senior technologist at Sophos, told SC Media UK that these
flaws could allow anyone on your network, even a guest user, to take over the router completely via its built-in web server, turning themselves into a superadministrator. "Fortunately, the bugs were only publicised after a fix was available - but that means you really need the patches. So, if you have an affected device make sure it's up to date - go and check it now!" he said.
Ducklin also warned programmers who are building firmware for low-cost devices not to be in a hurry when it comes to creating web server code.
"Many basic web servers are easy to extend, and the code to extend them is easy to write. But code that's easily tweaked is also easy to get wrong," says Ducklin. "If you're taking in data from outside, you need to be super-careful about what you allow in, where you put it, and what you do with it later. Uploads are especially dangerous because you're deliberately allowing outsiders to save files of their choice onto your server. You need to make sure they can't use their uploaded files as Trojan Horses to run unauthorised commands later on."