*Sierra Wireless AirLink Raven XE Industrial 3G Gateway - Multiple Vulnerabilities*
*About* http://www.sierrawireless.com/products-and-solutions/gateway-solutions/raven-series/ Rugged Design and Advanced Security for Fixed and Portable Wireless Communication Raven XE/XT Compact design for industrial applications Ethernet (XE) or serial (XT) options with USB and digital I/O *APPLICATIONS:* Remote Monitoring Surveillance Vending/Kiosk Banking/ATM Digital Signage *1. Weak Credential Management * The device web administration interface (TCP port 9191) and Airlink AT Command Interpreter (Telnet TCP 2332) uses non-random default credentials of user:12345. The application / system does not enforce a forced password change for default credentials. A network-based attacker can use these credentials to gain privileged access to these management interfaces. *Affected devices: * A Device Models Raven XE HSPA Radio Module TypeMC8790 Radio Firmware VersionK2_0_7_35AP C:/WS/FW/K2_0_7_35AP/MSM6290/SRC 2010/03/04 17:37:08 ATDevice ID0x010112DE143DD5A2 ATALEOS Software Version H2225E_4.0.10.001 Jul 21 2011 Device Hardware Configuration 0c150100000300000000000000000000 Boot Version 3.7.2 B Device Models GX400 Radio Module Type MC5728 Radio Firmware Versionp2815600,53239 [Aug 27 2012 10:01:25] ATGlobal IDCA1303309191005 ATALEOS Software Version 4.3.4 ALEOS Build number 009 Device Hardware Configuration 12160306000700000000000000000000 Boot Version 1.0.11 MSCI Version 10 C Device Models GX440 + potentially all GX models *Comment from the vendor*: Sierra Wireless strongly recommends that customers change all the default passwords on equipment they purchase, especially for interfaces that are enabled on public networks. We also recommend that customers use the firewall configuration options to disable these interfaces on the cellular WAN interface as an extra precaution. +++++ *Additional Issue / Note * It should be pointed out that during investigation of these issues, it was found that at least one Raven device accessible over the internet had been configured to forward port 80 traffic to the unauthenticated web configuration form for an Anybus S Ethernet Controller connected to the LAN side of the gateway. This is not a product vulnerability per se because the forwarding feature is not enabled by default and has legitimate application when the gateway is operating on private networks and/or the receiving device has proper security measures in place. Sierra Wireless strongly recommends that port forwarding never be enabled to unauthenticated or otherwise insecure interfaces on the LAN side of the gateway and especially not when the gateway is operating on public networks. +++++ *2. Ace Manager contains a global CSRF vulnerability * There is no anti-CSRF token in use. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. *Affected devices: * All Raven XE/XT models *Comment from the vendor*: Sierra Wireless acknowledges the lack of anti-CSRF tokens in the Ace Manager interface and will consider adding them in a future release. In the meantime we recommend customers follow best practice for sensitive networks and not simultaneously connect to critical infrastructure equipment and the public internet where CSRF attacks are likely to be found. Note that the Raven XE/XT devices are past end of life and will not receive firmware updates to address this issue so adherence to best practice is strongly recommended. +++++ *3. Sensitive information leakage via GET requests * Application uses GET requests post login and for certain functions. The following GET request happens during login: GET /admin/AceManager.htm?hwstr= abcdef00000g00000000000000000000&user=<value_mapped_to_user>&pwd=<value_mapped_to_password> HTTP/1.1 Host: IP:9191 User-Agent: blah Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://IP:9191/index.htm Authorization: Basic dXNlcjoxMjM0NQ== Connection: keep-alive These GET requests with obfuscated creds are therefore prone to sniffing, and can be used to log in directly to AceManager. You will be logged in to device management portal by calling the following url: http://IP/admin/AceManager.htm?hwstr=abcdef00000g00000000000000000000&user= <value_mapped_to_user>&pwd=<value_mapped_to_password> *Points to note: * 1. These creds appear to be mapped to HTTP login (user:12345). A change in http login changes these creds. 2. GET requests - vulnerable to sniffing. 3. Possibility of automating password brute force attacks *Affected devices: * All Raven XE/XT models *Comment from the vendor*: Sierra Wireless acknowledges this issue in versions of ALEOS compatible with the end of life Raven XE/XT family. It does not exist in current ALEOS products. As previously noted there will be no firmware updates to address this issue on the Raven XE/XT. Sierra Wireless strongly recommends that best practices be followed and the Ace Manager interface be disabled on the cellular WAN connection, particularly when the device is active on public networks in order to prevent exploitation of this sensitive information by internet-based attackers. +++++ *4. Unauthenticated access to directories + Arbitrary File Upload * Following directories can be accessed without any authentication: http://IP/admin/AceManager.htm?hwstr= http://IP:9191/admin/UpLoadTemp.htm http://IP:9191/admin/UpLoad.htm With access to ACEManager GUI */admin/UpLoadTemp.htm*, everyone gets access to following options: -> Upload, Download, Refresh options, Reboot option is also offered now. There is also Logout option on this screen pointing that we are logged in. No other function is shown. Anyone can potentially be able to reboot the box. No authentication is needed. Moving ahead. When we make a request to http://IP:9191/admin/AceManager.htm, there are 3 GET requests made by the application: http://IP:9191/admin/AceManager.htm http://IP:9191/admin/UpLoadTemp.htm http://IP:9191/admin/AceManager.htm When we look at http://IP:9191/admin/UpLoadTemp.htm, there is no authentication on this page, and we find it offers an option to upload a template file, with three options - a. Load to screen b. Preview c. Load & Apply It may be possible to load a template that when loaded, modifies the configuration and makes the device unavailable for access & usability. Looking at the page source of /admin/UpLoadTemp.html, we find that templates are uploaded to /Upload. When we access http://IP:9191/admin/UpLoad.htm, there is no auth (again) on this page, and it gives few more options and information. a. Any unauthenticated user can upload any file to the device b. Arbitrary files can be uploaded via the upload form. Files get uploaded to / c. Uploaded files can be accessed at: http://IP/<file_name> *Affected devices: * All Raven XE/XT models *Comment from the vendor*: Sierra Wireless acknowledges in versions of ALEOS compatible with the end of life Raven XE/XT family. It does not exist in current ALEOS products. As previously noted there will be no firmware updates to address this issue on the Raven XE/XT. Sierra Wireless strongly recommends that the AceManager interface be disabled on the cellular WAN connection, particularly when the device is active on public networks in order to prevent exploitation of this sensitive information by internet-based attackers. +++++ -- Best Regards, Karn Ganeshen _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/