Saturday, June 25, 2016

[ICS] Sierra Wireless AirLink Raven XE Industrial 3G Gateway - Multiple Vulnerabilities

Sierra Wireless AirLink Raven XE Industrial 3G Gateway - Multiple Vulnerabilities

About

The Sierra Wireless Raven XE and XT wireless gateways are used in the following industries and applications: utilities, manufacturing, automation, oil and gas, Ethernet-based SCADA, and telemetry.

Rugged Design and Advanced Security for Fixed and Portable Wireless
  • Communication Raven XE/XT 
  • Ethernet (XE) or serial (XT) options with USB and digital I/OCompact design for industrial applications 
APPLICATIONS:
  • Digital Signage
  • Remote Monitoring Surveillance 
  • Vending/Kiosk 
  • Banking/ATM

1. Weak Credential Management 

The device web administration interface (TCP port 9191) and Airlink AT Command Interpreter (Telnet TCP 2332) uses non-random default credentialsof user:12345. The application / system does not enforce a forced password change for default credentials. A network-based attacker can use these credentials to gain privileged access to these management interfaces.

Affected devices:

A

Device Models Raven XE HSPA
Radio Module TypeMC8790
Radio Firmware VersionK2_0_7_35AP C:/WS/FW/K2_0_7_35AP/MSM6290/SRC
2010/03/04 17:37:08
ATDevice ID0x010112DE143DD5A2
Device Hardware Configuration 0c150100000300000000000000000000
ATALEOS Software Version H2225E_4.0.10.001 Jul 21 2011
Boot Version 3.7.2

B
Device Models GX400
IDCA1303309191005
Radio Module Type MC5728
Radio Firmware Versionp2815600,53239 [Aug 27 2012 10:01:25] ATGlobal
Boot Version 1.0.11
ATALEOS Software Version 4.3.4
ALEOS Build number 009
Device Hardware Configuration 12160306000700000000000000000000
Comment from the vendor: Sierra Wireless strongly recommends that
MSCI Version 10

C

Device Models GX440 + potentially all GX models

Comment from the vendor: Sierra Wireless strongly recommends that customers change all the default passwords on equipment they purchase, especially for interfaces that are enabled on public networks. We also recommend that customers use the firewall configuration options to disable these interfaces on the cellular WAN interface as an extra precaution.


+++++

Additional Issue / Note

It should be pointed out that during investigation of these issues, it was found that at least one Raven device accessible over the internet had been configured to forward port 80 traffic to the unauthenticated web configuration form for an Anybus S Ethernet Controller connected to the LAN side of the gateway. This is not a product vulnerability per se because the forwarding feature is not enabled by default and has legitimate application when the gateway is operating on private networks and/or the receiving device has proper security measures in place. 

Sierra Wireless strongly recommends that port forwarding never be enabled to unauthenticated or otherwise insecure interfaces on the LAN side of the gateway and especially not when the gateway is operating on public networks.

+++++

2. Ace Manager contains a global CSRF vulnerability

There is no anti-CSRF token in use. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request.

Affected devices:
All Raven XE/XT models

Comment from the vendor: Sierra Wireless acknowledges the lack of anti-CSRF tokens in the Ace Manager interface and will consider adding them in a future release. In the meantime we recommend customers follow best practice for sensitive networks and not simultaneously connect to critical infrastructure equipment and the public internet where CSRF attacks are likely to be found. 

Note that the Raven XE/XT devices are past end of life and will not receive firmware updates to address this issue so adherence to best practice is strongly recommended.

+++++

3. Sensitive information leakage via GET requests 

Application uses GET requests post login and for certain functions. The following GET request happens during login:

GET /admin/AceManager.htm?hwstr= 
abcdef00000g00000000000000000000&user=<value_mapped_to_user>&pwd=<value_mapped_to_password>HTTP/1.1 
Host: IP:9191 
User-Agent: blah 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate 
DNT: 1 
Authorization: Basic dXNlcjoxMjM0NQ== 

These GET requests with obfuscated creds are therefore prone to sniffing.

You will be logged in to device management portal by calling the following
and can be used to log in directly to AceManager.

url:

<value_mapped_to_user>&pwd=<value_mapped_to_password> 

*Points to note: * 
1. These creds appear to be mapped to HTTP login (user:12345). A change in http login changes these creds.
2. GET requests - vulnerable to sniffing.
3. Possibility of automating password brute force attacks 

Affected devices:

All Raven XE/XT models


Comment from the vendor: Sierra Wireless acknowledges this issue in versions of ALEOS compatible with the end of life Raven XE/XT family. It does not exist in current ALEOS products. As previously noted there will be no firmware updates to address this issue on the Raven XE/XT. Sierra Wireless strongly recommends that best practices be followed and the Ace Manager interface be disabled on the cellular WAN connection, particularly when the device is active on public networks in order to prevent exploitation of this sensitive information by internet-based attackers. 

+++++

4. Unauthenticated access to directories + Arbitrary File Upload

Following directories can be accessed without any authentication: 

With access to ACEManager GUI */admin/UpLoadTemp.htm*, everyone gets access to following options:

-> Upload, Download, Refresh options, Reboot option is also offered now. 

There is also Logout option on this screen pointing that we are logged in. No other function is shown. Anyone can potentially be able to reboot the box. No authentication is needed. 

Moving ahead. 

When we make a request to http://IP:9191/admin/AceManager.htm, there are 3 GET requests made by the application: 


When we look at http://IP:9191/admin/UpLoadTemp.htm, there is no authentication on this page, and we find it offers an option to upload a template file, with three options -

a. Load to screen 
b. Preview 
c. Load & Apply

It may be possible to load a template that when loaded, modifies the configuration and makes the device unavailable for access & usability. 

Looking at the page source of /admin/UpLoadTemp.html, we find that templates are uploaded to /Upload. 

When we access http://IP:9191/admin/UpLoad.htm, there is no auth (again) on this page, and it gives few more options and information. 

a. Any unauthenticated user can upload any file to the device
b. Arbitrary files can be uploaded via the upload form. Files get uploaded to / 
c. Uploaded files can be accessed at: http://IP/<file_name> 

Affected devices: 
All Raven XE/XT models

Comment from the vendor: Sierra Wireless acknowledges in versions of ALEOS compatible with the end of life Raven XE/XT family. It does not exist in current ALEOS products. As previously noted there will be no firmware updates to address this issue on the Raven XE/XT. Sierra Wireless strongly recommends that the AceManager interface be disabled on the cellular WAN connection, particularly when the device is active on public networks in order to prevent exploitation of this sensitive information by internet-based attackers. 

+++++

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.