Date: Wed, 22 Jun 2016 09:05:07 +0000
From: Karn Ganeshen <karnganeshen@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Sierra Wireless AirLink Raven XE Industrial 3G Gateway -
	Multiple Vulnerabilities

*Sierra Wireless AirLink Raven XE Industrial 3G Gateway - Multiple
Vulnerabilities*

*About*
http://www.sierrawireless.com/products-and-solutions/gateway-solutions/raven-series/

Rugged Design and Advanced Security for Fixed and Portable Wireless
Communication

Raven XE/XT
Compact design for industrial applications
Ethernet (XE) or serial (XT) options with USB and digital I/O

*APPLICATIONS:*
Remote Monitoring Surveillance Vending/Kiosk
Banking/ATM
Digital Signage

*1. Weak Credential Management *

The device web administration interface (TCP port 9191) and Airlink AT
Command Interpreter (Telnet TCP 2332) uses non-random default credentials
of user:12345. The application / system does not enforce a forced password
change for default credentials. A network-based attacker can use these
credentials to gain privileged access to these management interfaces.

*Affected devices: *

A
Device Models Raven XE HSPA
Radio Module TypeMC8790
Radio Firmware VersionK2_0_7_35AP C:/WS/FW/K2_0_7_35AP/MSM6290/SRC
2010/03/04 17:37:08
ATDevice ID0x010112DE143DD5A2
ATALEOS Software Version H2225E_4.0.10.001 Jul 21 2011
Device Hardware Configuration 0c150100000300000000000000000000
Boot Version 3.7.2

B
Device Models GX400
Radio Module Type MC5728
Radio Firmware Versionp2815600,53239 [Aug 27 2012 10:01:25] ATGlobal
IDCA1303309191005
ATALEOS Software Version 4.3.4
ALEOS Build number 009
Device Hardware Configuration 12160306000700000000000000000000
Boot Version 1.0.11
MSCI Version 10

C

Device Models GX440 + potentially all GX models

*Comment from the vendor*: Sierra Wireless strongly recommends that
customers change all the default passwords on equipment they purchase,
especially for interfaces that are enabled on public networks. We also
recommend that customers use the firewall configuration options to disable
these interfaces on the cellular WAN interface as an extra precaution.

+++++

*Additional Issue / Note *

It should be pointed out that during investigation of these issues, it was
found that at least one Raven device accessible over the internet had been
configured to forward port 80 traffic to the unauthenticated web
configuration form for an Anybus S Ethernet Controller connected to the LAN
side of the gateway. This is not a product vulnerability per se because the
forwarding feature is not enabled by default and has legitimate application
when the gateway is operating on private networks and/or the receiving
device has proper security measures in place. Sierra Wireless strongly
recommends that port forwarding never be enabled to unauthenticated or
otherwise insecure interfaces on the LAN side of the gateway and especially
not when the gateway is operating on public networks.

+++++

*2. Ace Manager contains a global CSRF vulnerability *

There is no anti-CSRF token in use. An attacker can perform actions with
the same permissions as a victim user, provided the victim has an active
session and is induced to trigger the malicious request.

*Affected devices: *

All Raven XE/XT models

*Comment from the vendor*: Sierra Wireless acknowledges the lack of
anti-CSRF tokens in the Ace Manager interface and will consider adding them
in a future release. In the meantime we recommend customers follow best
practice for sensitive networks and not simultaneously connect to critical
infrastructure equipment and the public internet where CSRF attacks are
likely to be found. Note that the Raven XE/XT devices are past end of life
and will not receive firmware updates to address this issue so adherence to
best practice is strongly recommended.

+++++

*3. Sensitive information leakage via GET requests *

Application uses GET requests post login and for certain functions. The
following GET request happens during login:

GET /admin/AceManager.htm?hwstr=
abcdef00000g00000000000000000000&user=<value_mapped_to_user>&pwd=<value_mapped_to_password>
HTTP/1.1
Host: IP:9191
User-Agent: blah
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://IP:9191/index.htm
Authorization: Basic dXNlcjoxMjM0NQ==
Connection: keep-alive

These GET requests with obfuscated creds are therefore prone to sniffing,
and can be used to log in directly to AceManager.

You will be logged in to device management portal by calling the following
url:

http://IP/admin/AceManager.htm?hwstr=abcdef00000g00000000000000000000&user=
<value_mapped_to_user>&pwd=<value_mapped_to_password>


*Points to note: *
1. These creds appear to be mapped to HTTP login (user:12345). A change in
http login changes these creds.
2. GET requests - vulnerable to sniffing.
3. Possibility of automating password brute force attacks


*Affected devices: *

All Raven XE/XT models


*Comment from the vendor*: Sierra Wireless acknowledges this issue in
versions of ALEOS compatible with the end of life Raven XE/XT family. It
does not exist in current ALEOS products. As previously noted there will be
no firmware updates to address this issue on the Raven XE/XT. Sierra
Wireless strongly recommends that best practices be followed and the Ace
Manager interface be disabled on the cellular WAN connection, particularly
when the device is active on public networks in order to prevent
exploitation of this sensitive information by internet-based attackers.

+++++

*4. Unauthenticated access to directories + Arbitrary File Upload *

Following directories can be accessed without any authentication:
http://IP/admin/AceManager.htm?hwstr=
http://IP:9191/admin/UpLoadTemp.htm
http://IP:9191/admin/UpLoad.htm

With access to ACEManager GUI */admin/UpLoadTemp.htm*, everyone gets access
to following options:

-> Upload, Download, Refresh options, Reboot option is also offered now.

There is also Logout option on this screen pointing that we are logged in.
No other function is shown. Anyone can potentially be able to reboot the
box. No authentication is needed.

Moving ahead.

When we make a request to http://IP:9191/admin/AceManager.htm, there are 3
GET requests made by the application:

http://IP:9191/admin/AceManager.htm
http://IP:9191/admin/UpLoadTemp.htm
http://IP:9191/admin/AceManager.htm

When we look at http://IP:9191/admin/UpLoadTemp.htm, there is no
authentication on this page, and we find it offers an option to upload a
template file, with three options -
a. Load to screen
b. Preview
c. Load & Apply

It may be possible to load a template that when loaded, modifies the
configuration and makes the device unavailable for access & usability.

Looking at the page source of /admin/UpLoadTemp.html, we find that
templates are uploaded to /Upload.

When we access http://IP:9191/admin/UpLoad.htm, there is no auth (again) on
this page, and it gives few more options and information.

a. Any unauthenticated user can upload any file to the device
b. Arbitrary files can be uploaded via the upload form. Files get uploaded
to /
c. Uploaded files can be accessed at: http://IP/<file_name>

*Affected devices: *

All Raven XE/XT models

*Comment from the vendor*: Sierra Wireless acknowledges in versions of
ALEOS compatible with the end of life Raven XE/XT family. It does not exist
in current ALEOS products. As previously noted there will be no firmware
updates to address this issue on the Raven XE/XT. Sierra Wireless strongly
recommends that the AceManager interface be disabled on the cellular WAN
connection, particularly when the device is active on public networks in
order to prevent exploitation of this sensitive information by
internet-based attackers.

+++++
-- 
Best Regards,
Karn Ganeshen

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists