Forescout Vedere Labs Detects Vulnerabilities Affecting Sierra Wireless Airlink Routers

Forescout Vedere Labs has identified a total of 21 new vulnerabilities affecting Sierra Wireless AirLink cellular routers and some of its open source components such as TinyXML and OpenNDS, which are used in a variety of other products.

These routers are often used in combination with critical communications infrastructure projects for public safety, public transport and othr vertical markets.

This new research confirms some trends that they have been tracking:

• Vulnerabilities on routers and network infrastructure are on the rise. Vulnerabilities on network infrastructure have consistently ranked among the most exploited since at least 2020; state-sponsored actors have been developing custom malware to use routers for persistence and espionage, while cybercriminals are leveraging them for residential proxies and to form botnets. Although most organizations are aware of the attack surface on their IT network infrastructure, many OT/IoT edge devices may not receive the same level of attention from security teams.
• Vulnerabilities in OT/IoT devices often arise from design flaws, such as the use of hardcoded credentials and certificates we saw in this research and previously in OT:ICEFALL, or issues when parsing malformed packets (see CVE-2023-41101 in this research and the many we saw previously in Project Memoria). These latter vulnerabilities are easier to exploit in OT/IoT devices because of the lack of effective exploit mitigations.
• Supply chain components, such as open-source software provided by third parties, can be very riskyand increase the attack surface of critical devices, leading to vulnerabilities that may be hard for asset owners to track and mitigate.

Finding so many new vulnerabilities on software components of a well-studied device shows that device manufacturers, and in turn asset owners, must pay special attention to risks stemming from the software supply chain, both from open- and closed-source components. Asset owners are the ones who, at the end, may get breached due to insecure devices on their networks and, currently, they must either depend on device manufacturers to adequately address supply chain vulnerabilities or implement their own risk mitigation strategies that do not rely exclusively on patching. The former option is risky, since as Forescout observed 2 years ago when concluding Project Memoria, legacy software components enable the connected world, vulnerability notification to a large number of parties is difficult and vendors/maintainers are often unresponsive, which means that organizations across several industries may remain vulnerable for a long time. The latter option – risk mitigation – is more broadly applicable and can lead to an overall better security posture against new and old vulnerabilities in critical devices.

Summary of findings

Forescout found 21 new vulnerabilities affecting OT/IoT routers. One has critical severity (CVSS score 9.6) and nine have high severity. These vulnerabilities may allow attackers to steal credentials, take control of a router by injecting malicious code, persist on the device and use it as an initial access point into critical networks. The vulnerabilities are categorized as follows:

• Remote Code Execution (RCE) vulnerabilities allowing attackers to take full control of a device by injecting malicious code.
• Cross site scripting (XSS) vulnerabilities that may be used to inject malicious code on clients browsing the management application, thus potentially stealing credentials.
• Denial of service (DoS) vulnerabilities that may be used to crash the management for a variety of reasons, from simple vandalism to more sophisticated multi-staged attacks.
• Unauthorized access, via design flaws, such as hardcoded credentials and private keys and certificates, which can be used for performing man-in-the-middle attacks or to recover passwords by capable attackers.
• Authentication bypasses that allow attackers to skip the authentication service of the captive portal service and connect to the protected WiFi network directly.

Impact
Forescout found more than 86,000 of these routers exposed online in organizations such as power distribution, a national health system, waste management, retail, and vehicle tracking. Less than 10% of the total exposed routers are confirmed to be patched against known previous vulnerabilities found since 2019. For devices exposing a specific management interface (AT commands over Telnet), 90% are end of life, which means they cannot be patched anymore