Skip to main content

Multiple Vulnerabilities in Sierra AirLink Cellular Routers

 A critical and several high severity vulnerabilities have been found affecting Sierra AirLink cellular routers

Threat ID:
CC-4419
Threat Severity:
Medium
Published:
8 December 2023 4:08 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

 A critical and several high severity vulnerabilities have been found affecting Sierra AirLink cellular routers

Affected platforms

The following platforms are known to be affected:

Versions: All versions prior to 4.9.9

AirLink ALEOS Firmware

Threat details

Introduction

Sierra Wireless have released upgrades to address twenty-two vulnerabilities discovered affecting Sierra AirLink cellular routers as well as its open source components TinyXML and OpenNDS.

The vulnerabilities of highest criticality are highlighted in the vulnerability details.

Vulnerability details

  • CVE-2023-41101CWE-787 - Out-of-bounds Write 

This is a critical severity remote code execution (RCE) vulnerability in OpenNDS, with a CVSS score of 9.6, affecting captive portal in OpenNDS before version 10.1.3. An attacker could exploit this vulnerability to crash OpenNDS (Denial-of-Service condition) or inject and execute arbitrary bytecode (RCE).

  • CVE-2023-38316 CWE-116 - Improper Encoding or Escaping of Output

This is a high severity remote code execution (RCE) vulnerability, with a CVSS score of 8.8, affecting OpenNDS Captive Portal before version 10.1.2. If the custom unescape callback is enabled, attackers could exploit this vulnerability to execute arbitrary commands by inserting them into the URL portion of HTTP GET requests.

  • CVE-2023-40463 - CWE-798 - Use of Hard-coded Credentials

This is a high severity unauthorised access vulnerability in ALEOS, with a CVSS score of  8.1. If ALEOS versions 4.16 and earlier are configured in debugging mode by an authenticated user with administrative privileges, the SHA512 hash of the common root password is stored for that version in a directory accessible to an attacker with root privileges or equivalent access.

  • CVE-2023-40464 CWE-321 - Use of Hard-coded Cryptographic Key

This is a high severity unauthorised access vulnerability in ALEOS, with a CVSS score of  8.1. An attacker with access to the hardcoded SSL certificates and private keys used by ALEOS, could allow them to perform a man-in-the-middle attack between the ACEManager client and ACEManager server.

  • CVE-2023-40461 - CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

This is a high severity cross-site scripting vulnerability, with a CVSS score of  8.1, affecting the ACEManager component of ALEOS in versions 4.16 and earlier. This attack could be exploited by an authenticated attacker with administrator privileges to access a file upload field which does not fully validate the file name, allowing them to perform a cross-site scripting attack.

  • CVE-2023-40458 - CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

This is a high severity denial of service vulnerability in ACEmanager, with a CVSS score of 7.5. This vulnerability could be exploited by a remote attacker to trigger a denial of service (DoS) condition for ACEManager without impairing other router functions. 

  • CVE-2023-40459 - CWE-476 - NULL Pointer Dereference

This is a high severity denial of service vulnerability, with a CVSS score of 7.5, affecting ACEManager component of ALEOS 4.16 and earlier. Due to inadequate input sanitization during authentication, an attacker could exploit this vulnerability to perform a denial of service (DoS) attack without impairing other router functions. 

  • CVE-2023-40462 - CWE-617 - Reachable Assertion

This is a high severity denial of service vulnerability in ACEmanager related to TinyXML, with a CVSS score of 7.5. Due to a lack of input sanitisation during authentication, an attacker could exploit this vulnerability to perform a denial of service (DoS) attack without impairing other router functions. 

  • CVE-2023-40460 - CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

This is a high severity cross-site scripting vulnerability, with a CVSS score of  7.1, affecting the ACEManager component of ALEOS 4.16 and earlier. Due to a lack of validation of uploaded file names and types, an authenticated attacker could exploit this vulnerability to perform client-side script execution.

Remediation advice

Affected organisations are encouraged to review the AirLink ALEOS firmware updates Version 4.9.9 and Version 4.17.0OpenNDS updates and apply the relevant actions.

Please be aware that TinyXML is an unsupported open-source project, so the upstream vulnerabilities must be addressed downstream by affected vendors.

CVE Vulnerabilities

Status Published

CVE-2023-38313

An issue was discovered in OpenNDS Captive Portal before 10.1.2. it has a do_binauth NULL pointer dereference that can be triggered with a crafted GET HTTP request with a missing client redirect query string parameter. Triggering this issue results in crashing openNDS (a Denial-of-Service condition). The issue occurs when the client is about to be authenticated, and can be triggered only when the BinAuth option is set.
Status Published

CVE-2023-38314

An issue was discovered in OpenNDS Captive Portal before version 10.1.2. It has a NULL pointer dereference in preauthenticated() that can be triggered with a crafted GET HTTP request with a missing redirect query string parameter. Triggering this issue results in crashing OpenNDS (a Denial-of-Service condition).
Status Published

CVE-2023-38315

An issue was discovered in OpenNDS Captive Portal before version 10.1.2. It has a try_to_authenticate NULL pointer dereference that can be triggered with a crafted GET HTTP with a missing client token query string parameter. Triggering this issue results in crashing OpenNDS (a Denial-of-Service condition).
Status Published

CVE-2023-38320

An issue was discovered in OpenNDS Captive Portal before version 10.1.2. It has a show_preauthpage NULL pointer dereference that can be triggered with a crafted GET HTTP with a missing User-Agent header. Triggering this issue results in crashing OpenNDS (a Denial-of-Service condition).
Status Reserved

CVE-2023-38321
Status Published

CVE-2023-38322

An issue was discovered in OpenNDS Captive Portal before version 10.1.2. It has a do_binauth NULL pointer dereference that be triggered with a crafted GET HTTP request with a missing User-Agent HTTP header. Triggering this issue results in crashing OpenNDS (a Denial-of-Service condition). The issue occurs when the client is about to be authenticated, and can be triggered only when the BinAuth option is set.
Status Published

CVE-2023-38316

An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests.
Status Reserved

CVE-2023-38317
Status Reserved

CVE-2023-38318
Status Reserved

CVE-2023-38319
Status Reserved

CVE-2023-38323
Status Published

CVE-2023-38324

An issue was discovered in OpenNDS Captive Portal before version 10.1.2. It allows users to skip the splash page sequence when it is using the default FAS key and when OpenNDS is configured as FAS (default).
Status Published

CVE-2023-41101

An issue was discovered in the captive portal in OpenNDS before version 10.1.3. get_query in http_microhttpd.c does not validate the length of the query string of GET requests. This leads to a stack-based buffer overflow in versions 9.x and earlier, and to a heap-based buffer overflow in versions 10.x and later. Attackers may exploit the issue to crash OpenNDS (Denial-of-Service condition) or to inject and execute arbitrary bytecode (Remote Code Execution).
Status Published

CVE-2023-41102

An issue was discovered in the captive portal in OpenNDS before version 10.1.3. It has multiple memory leaks due to not freeing up allocated memory. This may lead to a Denial-of-Service condition due to the consumption of all available memory.
Status Published

CVE-2023-40458

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Sierra Wireless, Inc ALEOS could potentially allow a remote attacker to trigger a Denial of Service (DoS) condition for ACEManager without impairing other router functions. This condition is cleared by restarting the device.
Status Published

CVE-2023-40459

The ACEManager component of ALEOS 4.16 and earlier does not adequately perform input sanitization during authentication, which could potentially result in a Denial of Service (DoS) condition for ACEManager without impairing other router functions. ACEManager recovers from the DoS condition by restarting within ten seconds of becoming unavailable.
Status Published

CVE-2023-40460

The ACEManager component of ALEOS 4.16 and earlier does not validate uploaded file names and types, which could potentially allow an authenticated user to perform client-side script execution within ACEManager, altering the device functionality until the device is restarted.
Status Published

CVE-2023-40461

The ACEManager component of ALEOS 4.16 and earlier allows an authenticated user with Administrator privileges to access a file upload field which does not fully validate the file name, creating a Stored Cross-Site Scripting condition.
Status Reserved

CVE-2023-34194
Status Published

CVE-2023-40462

The ACEManager component of ALEOS 4.16 and earlier does not perform input sanitization during authentication, which could potentially result in a Denial of Service (DoS) condition for ACEManager without impairing other router functions. ACEManager recovers from the DoS condition by restarting within ten seconds of becoming unavailable.
Status Published

CVE-2023-40463

When configured in debugging mode by an authenticated user with administrative privileges, ALEOS 4.16 and earlier store the SHA512 hash of the common root password for that version in a directory accessible to a user with root privileges or equivalent access.
Status Published

CVE-2023-40464

Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially perform a man in the middle attack between the ACEManager client and ACEManager server.

Last edited: 8 December 2023 4:30 pm