Sierra Wireless AirLink Raven XE Industrial 3G Gateway - Multiple Vulnerabilities
The Sierra Wireless Raven XE and XT wireless gateways are used in the following industries and applications: utilities, manufacturing, automation, oil and gas, Ethernet-based SCADA, and telemetry.
Rugged Design and Advanced Security for Fixed and Portable Wireless
- Communication Raven XE/XT
- Ethernet (XE) or serial (XT) options with USB and digital I/OCompact design for industrial applications
- Digital Signage
- Remote Monitoring Surveillance
1. Weak Credential Management
The device web administration interface (TCP port 9191) and Airlink AT Command Interpreter (Telnet TCP 2332) uses non-random default credentialsof user:12345. The application / system does not enforce a forced password change for default credentials. A network-based attacker can use these credentials to gain privileged access to these management interfaces.
Affected devices: A Device Models Raven XE HSPA Radio Module TypeMC8790 Radio Firmware VersionK2_0_7_35AP C:/WS/FW/K2_0_7_35AP/MSM6290/SRC 2010/03/04 17:37:08 ATDevice ID0x010112DE143DD5A2 Device Hardware Configuration 0c150100000300000000000000000000 ATALEOS Software Version H2225E_4.0.10.001 Jul 21 2011 Boot Version 3.7.2 B Device Models GX400 IDCA1303309191005 Radio Module Type MC5728 Radio Firmware Versionp2815600,53239 [Aug 27 2012 10:01:25] ATGlobal Boot Version 1.0.11 ATALEOS Software Version 4.3.4 ALEOS Build number 009 Device Hardware Configuration 12160306000700000000000000000000 Comment from the vendor: Sierra Wireless strongly recommends that MSCI Version 10 C Device Models GX440 + potentially all GX models
Comment from the vendor: Sierra Wireless strongly recommends that customers change all the default passwords on equipment they purchase, especially for interfaces that are enabled on public networks. We also recommend that customers use the firewall configuration options to disable these interfaces on the cellular WAN interface as an extra precaution.
Additional Issue / Note
It should be pointed out that during investigation of these issues, it was found that at least one Raven device accessible over the internet had been configured to forward port 80 traffic to the unauthenticated web configuration form for an Anybus S Ethernet Controller connected to the LAN side of the gateway. This is not a product vulnerability per se because the forwarding feature is not enabled by default and has legitimate application when the gateway is operating on private networks and/or the receiving device has proper security measures in place.
Sierra Wireless strongly recommends that port forwarding never be enabled to unauthenticated or otherwise insecure interfaces on the LAN side of the gateway and especially not when the gateway is operating on public networks.
2. Ace Manager contains a global CSRF vulnerability
There is no anti-CSRF token in use. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.
All Raven XE/XT models
Comment from the vendor: Sierra Wireless acknowledges the lack of anti-CSRF tokens in the Ace Manager interface and will consider adding them in a future release. In the meantime we recommend customers follow best practice for sensitive networks and not simultaneously connect to critical infrastructure equipment and the public internet where CSRF attacks are likely to be found.
Note that the Raven XE/XT devices are past end of life and will not receive firmware updates to address this issue so adherence to best practice is strongly recommended.
3. Sensitive information leakage via GET requests
Application uses GET requests post login and for certain functions. The following GET request happens during login:
Accept-Encoding: gzip, deflate
Authorization: Basic dXNlcjoxMjM0NQ==
These GET requests with obfuscated creds are therefore prone to sniffing.
You will be logged in to device management portal by calling the following
and can be used to log in directly to AceManager.
*Points to note: *
1. These creds appear to be mapped to HTTP login (user:12345). A change in http login changes these creds.
2. GET requests - vulnerable to sniffing.
3. Possibility of automating password brute force attacks
All Raven XE/XT models
Comment from the vendor: Sierra Wireless acknowledges this issue in versions of ALEOS compatible with the end of life Raven XE/XT family. It does not exist in current ALEOS products. As previously noted there will be no firmware updates to address this issue on the Raven XE/XT. Sierra Wireless strongly recommends that best practices be followed and the Ace Manager interface be disabled on the cellular WAN connection, particularly when the device is active on public networks in order to prevent exploitation of this sensitive information by internet-based attackers.
4. Unauthenticated access to directories + Arbitrary File Upload
Following directories can be accessed without any authentication:
With access to ACEManager GUI */admin/UpLoadTemp.htm*, everyone gets access to following options:
-> Upload, Download, Refresh options, Reboot option is also offered now.
There is also Logout option on this screen pointing that we are logged in. No other function is shown. Anyone can potentially be able to reboot the box. No authentication is needed.
When we make a request to http://IP:9191/admin/AceManager.htm, there are 3 GET requests made by the application:
When we look at http://IP:9191/admin/UpLoadTemp.htm, there is no authentication on this page, and we find it offers an option to upload a template file, with three options -
a. Load to screen
c. Load & Apply
It may be possible to load a template that when loaded, modifies the configuration and makes the device unavailable for access & usability.
Looking at the page source of /admin/UpLoadTemp.html, we find that templates are uploaded to /Upload.
When we access http://IP:9191/admin/UpLoad.htm, there is no auth (again) on this page, and it gives few more options and information.
a. Any unauthenticated user can upload any file to the device
b. Arbitrary files can be uploaded via the upload form. Files get uploaded to /
c. Uploaded files can be accessed at: http://IP/<file_name>
All Raven XE/XT models
Comment from the vendor: Sierra Wireless acknowledges in versions of ALEOS compatible with the end of life Raven XE/XT family. It does not exist in current ALEOS products. As previously noted there will be no firmware updates to address this issue on the Raven XE/XT. Sierra Wireless strongly recommends that the AceManager interface be disabled on the cellular WAN connection, particularly when the device is active on public networks in order to prevent exploitation of this sensitive information by internet-based attackers.