Lucene search

threatpostTara SealsTHREATPOST:142DAF150C2BF9EB70ECE95F46939532
HistoryApr 26, 2019 - 4:12 p.m.

Critical Flaws in Sierra Wireless 5G Gateway Allow RCE, Command Injection

Tara Seals





A 5G wireless gateway tailored for industrial internet of things (IoT), retail point-of-sale and enterprise redundancy applications is riddled with vulnerabilities, include two critical bugs that allow remote code-execution (RCE) and arbitrary command-injection.

The Sierra Wireless AirLink ES450 LTE gateway (version 4.9.3) has 11 different bugs, which could be exploited for RCE, uncovering user credentials (including the administrator’s password) and other scenarios, according to Cisco Talos, which found the issues. Sierra Wireless has issued an update and administrators are encouraged to apply it.

“The majority of these vulnerabilities exist in ACEManager, the web server included with the ES450,” Cisco explained in an advisory on Thursday. “ACEManager is responsible for the majority of interactions on the device, including device reconfiguration, user authentication and certificate management.”

The most serious of the flaws is a critical RCE vulnerability (CVE-2018-4063), CVSS score of 9.9, in the upload.cgi function of the ACEManager, which allows an attacker to use a specially crafted HTTP request to upload executable code, to be routed to the web server.

“When uploading template files, you can specify the name of the file that you are uploading,” according to Cisco. “There are no restrictions in place that protect the files that are currently on the device, used for normal operation. If a file is uploaded with the same name of the file that already exists in the directory, then we inherit the permissions of that file.”

Further, since ACEManager is running as root, any executables that are run by those files will be running also as root. “By uploading a small wrapper, we can upload arbitrary code to the device and run by simply navigating to the web page through the browser,” Cisco noted.

Also in the upload.cgi function, an unverified password change vulnerability (CVE-2018-4064) opens the door to an unverified device configuration change, resulting in an unverified change of the user password on the device.

In both cases, an attacker exploiting the upload.cgi bugs can make an authenticated HTTP request to trigger the vulnerability.

There’s also a critical command-injection vulnerability (CVE-2018-4061), CVSS score of 9.9, which exists in the ACEManager iplogging.cgi functionality. An authenticated attacker can send a specially crafted HTTP request to inject arbitrary commands, resulting in arbitrary command execution as root. This bug most likely also affects the also most likely affects the AirLink GX450 product, Cisco added.

Another problem arises from having hard-coded credentials (CVE-2018-4062) in the SNMPD function of the gateway.

“Activating SNMPD outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user,” according to Cisco. “An attacker can activate SNMPD without any configuration changes to trigger this vulnerability.”

Meanwhile, there are four information-disclosure vulnerabilities. For one, the ACEManager authentication functionality is done in plaintext XML to the web server (CVE-2018-4069), so an attacker can listen to network traffic upstream from the device to sniff out credentials.

The other three (CVE-2018-4067, CVE-2018-4068 and CVE-2018-4070/CVE-2018-4071) can expose internal paths and files; the default configuration for the device; or plain text passwords and SNMP community strings. An attacker can send an unauthenticated HTTP request to trigger any of these.

Other bugs include a permission assignment vulnerability (CVE-2018-4072/CVE-2018-4073), a cross-site scripting (CSS) vulnerability (CVE-2018-4065) and a cross-site request forgery (CSRF) vulnerability (CVE-2018-4066).

The gateway is billed as a “a reliable, secure LTE gateway,” and is one of the first-to-market to capitalize on the deployment of next-generation 5G mobile networks, which are expected to support a whole raft of new use cases, especially in the industrial IoT space. But as these flaws illustrate, vulnerabilities come with any new territory.

“History has shown us that when we expand our computing power and connectivity, we open up a new landscape for attackers to use against us, with prime examples of this being the cloud and connected IoT devices,” Steve McGregory, senior director of application and threat intelligence at Ixia, told Threatpost. He added, “We are racing into 5G just as we did with IoT and the cloud…if that trend is to continue, then we must plan and prepare.”