OTORIO Reports Vulnerabilities in Sierra Wireless AirLink IIoT

Summary

Jan. 31, 2023 - Vienna/Munich - Security analysts at OTORIO, provider of OT security solutions, have discovered two vulnerabilities affecting several Sierra Wireless IIoT devices . Sierra Wireless is part of a Semtech and a leading provider of connectivity for critical infrastructure. The OTORIO researchers discovered vulnerabilities that make the devices vulnerable to remote code execution. These new vulnerabilities are part of the OTORIO study on the wireless IIoT attack surface, which security researcher Roni Gavrilov will present at the upcoming S4x23 conference on Feb. 15, 2023 in Miami.
 
Sierra Wireless' AirLink family of wireless gateways and modems provides businesses with solutions for various industrial, enterprise and automotive applications. The vulnerabilities identified by OTORIO are located in the following AirLink products that work with the ALEOS operating system:

• ALEOS software versions prior to and including version 4.9.7 (ES450, GX450)
• ALEOS software versions prior to version 4.16.0 (MP70, RV50, RV50x, RV55, LX40, LX60).

Sierra Wireless and ICS-CERT (CISA) have published notices about the vulnerabilities.
 

1. CVE-2022-46649 – Remote-Code-Ausführung

A user with valid ACEManager credentials and access to the ACEManager interface can manipulate IP logging to execute arbitrary shell commands on the device.
 
CVSS v3.1 Score: 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
 
A vulnerability in the ACEManager web service allows for infiltration of commands through improper handling of the "-z" flag (responsible for providing a postrotate command to tcpdump) in requests to /cgi-bin/iplogging.cgi.
 
This vulnerability is based on a bypass of a patch released by Sierra Wireless in April 2019 that addresses the CVE-2018-4061 vulnerability reported by Talos.

The regular expression of each "-z" flag (representing the postrotate command) removes a space if it is followed by a tab, page feed, or vertical tab. This is done as in tcpdump -z reboot, which was previously used to exploit the same interface in CVE-2018-4061.

However, this check needs to be revised because it is possible to insert the command without space. For example, "-zreboot" easily bypasses the nearly three-year-old patch for the previously discovered CVE.
 
Running any binary on the system reveals an issue that needs to be addressed. However, this vulnerability can only allow limited command execution on the target machine without additional work.
 
When inspecting the source code of tcpdump, -z binary is executed: 'execlp(any_binary, filename)'. In this case, the file name is hard-coded to "/tmp/iplogging.pcap", which limits the whole thing to the existing binaries on the machine and does not allow user-controlled parameters. This adds complexity to reach a remote shell on the machine.
 
To circumvent this limitation, the OTORIO researchers found a workaround by inserting manipulated data into the file "/tmp/iplogging.pcap". Thus, the file is both a valid PCAP and a valid shell script, along with "sh" as the post-rotation command.
 
The data can be inserted into the target PCAP file by transferring it directly to the appropriate interface. However, since other communication on the interface can cause problems, an alternative solution is to use the /cgi-bin/iplogging_upload.cgi page.

2. CVE-2022-46650 - Disclosure of Sensitive Information

A user with valid ACEManager credentials and access to the ACEManager interface can reconfigure the device to display the ACEManager credentials on the status page before logging in. This leads to a permanent backdoor to the system and the disclosure of the admin password in plain text.
 
The Embedded_Ace_Set_Task.cgi executable allows you to modify configuration values within Configuration Manager. An attacker could exploit this by enabling the Device Status Screen (55052) configuration parameter and adding the password parameter (5003) to the list of parameters displayed on the pre-login page (55053).

Remedies

OTORIO has notified Sierra Wireless and CISA of these vulnerabilities. The relevant information can be found here:

• SWI-PSA-2023-001: AirLink - ALEOS Security Advisory
• CISA ICS Advisory (ICSA-23-026-04)

Sierra Wireless has released updated firmware to address these vulnerabilities. Users are urged to update their devices, restrict access to the web interface, and use secure credentials. Devices exposed to the WAN are particularly vulnerable, and immediate action should be taken to mitigate this risk.

About OTORIO

OTORIO is an operational technology (OT) security company that provides end-to-end solutions for proactive digital risk management. These help industrial companies worldwide to maintain business continuity and protect ongoing operations. Together with partners, OTORIO offers comprehensive solutions and services for assessing, monitoring and managing the security risk for critical infrastructures, intelligent transport and logistics systems and industrial manufacturing companies. Industrial companies and comparable organizations can thus effectively secure their digital transformation in converged OT-IT IIoT network environments. OTORIO's global team has the extensive experience of leading international cybersecurity experts combined with in-depth knowledge of processes and requirements in many industrial sectors and similar areas.