Lucene search
K

Sierra Wireless AirLink Raven XE Industrial 3G Gateway CSRF / File Upload

🗓️ 23 Jun 2016 00:00:00Reported by Karn GaneshenType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 51 Views

Sierra Wireless AirLink Raven XE Industrial 3G Gateway vulnerabilities in weak credential management, CSRF, and sensitive information leakage

Code
`*Sierra Wireless AirLink Raven XE Industrial 3G Gateway - Multiple  
Vulnerabilities*  
  
*About*  
http://www.sierrawireless.com/products-and-solutions/gateway-solutions/raven-series/  
  
Rugged Design and Advanced Security for Fixed and Portable Wireless  
Communication  
  
Raven XE/XT  
Compact design for industrial applications  
Ethernet (XE) or serial (XT) options with USB and digital I/O  
  
*APPLICATIONS:*  
Remote Monitoring Surveillance Vending/Kiosk  
Banking/ATM  
Digital Signage  
  
*1. Weak Credential Management *  
  
The device web administration interface (TCP port 9191) and Airlink AT  
Command Interpreter (Telnet TCP 2332) uses non-random default credentials  
of user:12345. The application / system does not enforce a forced password  
change for default credentials. A network-based attacker can use these  
credentials to gain privileged access to these management interfaces.  
  
*Affected devices: *  
  
A  
Device Models Raven XE HSPA  
Radio Module TypeMC8790  
Radio Firmware VersionK2_0_7_35AP C:/WS/FW/K2_0_7_35AP/MSM6290/SRC  
2010/03/04 17:37:08  
ATDevice ID0x010112DE143DD5A2  
ATALEOS Software Version H2225E_4.0.10.001 Jul 21 2011  
Device Hardware Configuration 0c150100000300000000000000000000  
Boot Version 3.7.2  
  
B  
Device Models GX400  
Radio Module Type MC5728  
Radio Firmware Versionp2815600,53239 [Aug 27 2012 10:01:25] ATGlobal  
IDCA1303309191005  
ATALEOS Software Version 4.3.4  
ALEOS Build number 009  
Device Hardware Configuration 12160306000700000000000000000000  
Boot Version 1.0.11  
MSCI Version 10  
  
C  
  
Device Models GX440 + potentially all GX models  
  
*Comment from the vendor*: Sierra Wireless strongly recommends that  
customers change all the default passwords on equipment they purchase,  
especially for interfaces that are enabled on public networks. We also  
recommend that customers use the firewall configuration options to disable  
these interfaces on the cellular WAN interface as an extra precaution.  
  
+++++  
  
*Additional Issue / Note *  
  
It should be pointed out that during investigation of these issues, it was  
found that at least one Raven device accessible over the internet had been  
configured to forward port 80 traffic to the unauthenticated web  
configuration form for an Anybus S Ethernet Controller connected to the LAN  
side of the gateway. This is not a product vulnerability per se because the  
forwarding feature is not enabled by default and has legitimate application  
when the gateway is operating on private networks and/or the receiving  
device has proper security measures in place. Sierra Wireless strongly  
recommends that port forwarding never be enabled to unauthenticated or  
otherwise insecure interfaces on the LAN side of the gateway and especially  
not when the gateway is operating on public networks.  
  
+++++  
  
*2. Ace Manager contains a global CSRF vulnerability *  
  
There is no anti-CSRF token in use. An attacker can perform actions with  
the same permissions as a victim user, provided the victim has an active  
session and is induced to trigger the malicious request.  
  
*Affected devices: *  
  
All Raven XE/XT models  
  
*Comment from the vendor*: Sierra Wireless acknowledges the lack of  
anti-CSRF tokens in the Ace Manager interface and will consider adding them  
in a future release. In the meantime we recommend customers follow best  
practice for sensitive networks and not simultaneously connect to critical  
infrastructure equipment and the public internet where CSRF attacks are  
likely to be found. Note that the Raven XE/XT devices are past end of life  
and will not receive firmware updates to address this issue so adherence to  
best practice is strongly recommended.  
  
+++++  
  
*3. Sensitive information leakage via GET requests *  
  
Application uses GET requests post login and for certain functions. The  
following GET request happens during login:  
  
GET /admin/AceManager.htm?hwstr=  
abcdef00000g00000000000000000000&user=<value_mapped_to_user>&pwd=<value_mapped_to_password>  
HTTP/1.1  
Host: IP:9191  
User-Agent: blah  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Referer: http://IP:9191/index.htm  
Authorization: Basic dXNlcjoxMjM0NQ==  
Connection: keep-alive  
  
These GET requests with obfuscated creds are therefore prone to sniffing,  
and can be used to log in directly to AceManager.  
  
You will be logged in to device management portal by calling the following  
url:  
  
http://IP/admin/AceManager.htm?hwstr=abcdef00000g00000000000000000000&user=  
<value_mapped_to_user>&pwd=<value_mapped_to_password>  
  
  
*Points to note: *  
1. These creds appear to be mapped to HTTP login (user:12345). A change in  
http login changes these creds.  
2. GET requests - vulnerable to sniffing.  
3. Possibility of automating password brute force attacks  
  
  
*Affected devices: *  
  
All Raven XE/XT models  
  
  
*Comment from the vendor*: Sierra Wireless acknowledges this issue in  
versions of ALEOS compatible with the end of life Raven XE/XT family. It  
does not exist in current ALEOS products. As previously noted there will be  
no firmware updates to address this issue on the Raven XE/XT. Sierra  
Wireless strongly recommends that best practices be followed and the Ace  
Manager interface be disabled on the cellular WAN connection, particularly  
when the device is active on public networks in order to prevent  
exploitation of this sensitive information by internet-based attackers.  
  
+++++  
  
*4. Unauthenticated access to directories + Arbitrary File Upload *  
  
Following directories can be accessed without any authentication:  
http://IP/admin/AceManager.htm?hwstr=  
http://IP:9191/admin/UpLoadTemp.htm  
http://IP:9191/admin/UpLoad.htm  
  
With access to ACEManager GUI */admin/UpLoadTemp.htm*, everyone gets access  
to following options:  
  
-> Upload, Download, Refresh options, Reboot option is also offered now.  
  
There is also Logout option on this screen pointing that we are logged in.  
No other function is shown. Anyone can potentially be able to reboot the  
box. No authentication is needed.  
  
Moving ahead.  
  
When we make a request to http://IP:9191/admin/AceManager.htm, there are 3  
GET requests made by the application:  
  
http://IP:9191/admin/AceManager.htm  
http://IP:9191/admin/UpLoadTemp.htm  
http://IP:9191/admin/AceManager.htm  
  
When we look at http://IP:9191/admin/UpLoadTemp.htm, there is no  
authentication on this page, and we find it offers an option to upload a  
template file, with three options -  
a. Load to screen  
b. Preview  
c. Load & Apply  
  
It may be possible to load a template that when loaded, modifies the  
configuration and makes the device unavailable for access & usability.  
  
Looking at the page source of /admin/UpLoadTemp.html, we find that  
templates are uploaded to /Upload.  
  
When we access http://IP:9191/admin/UpLoad.htm, there is no auth (again) on  
this page, and it gives few more options and information.  
  
a. Any unauthenticated user can upload any file to the device  
b. Arbitrary files can be uploaded via the upload form. Files get uploaded  
to /  
c. Uploaded files can be accessed at: http://IP/<file_name>  
  
*Affected devices: *  
  
All Raven XE/XT models  
  
*Comment from the vendor*: Sierra Wireless acknowledges in versions of  
ALEOS compatible with the end of life Raven XE/XT family. It does not exist  
in current ALEOS products. As previously noted there will be no firmware  
updates to address this issue on the Raven XE/XT. Sierra Wireless strongly  
recommends that the AceManager interface be disabled on the cellular WAN  
connection, particularly when the device is active on public networks in  
order to prevent exploitation of this sensitive information by  
internet-based attackers.  
  
+++++  
--   
Best Regards,  
Karn Ganeshen  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation