Rewterz Threat Advisory – ICS: Sierra Wireless AirLink ALEOS

Severity

High

Analysis Summary

CVE-2018-4061

A specially crafted authenticated HTTP request can inject arbitrary commands, resulting in remote code execution.

CVE-2018-4062

Activating SNMPD outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user. An attacker can activate SNMPD without any configuration changes to trigger this vulnerability.

CVE-2018-4063

A specially crafted authenticated HTTP request can upload a file, resulting in an executable, routable code upload to the web server.

CVE-2018-4065 

A specially crafted HTTP ping request can cause reflected JavaScript to be executed and run on the user’s browser. An attacker can exploit this by convincing a user to click a link or embedded URL that redirects to the reflected cross-site scripting vulnerability.

CVE-2018-4066 

A specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests through an authenticated user. Triggering this vulnerability may allow an attacker access to authenticated pages via an authenticated user.

CVE-2018-4067

A specially crafted authenticated HTTP request can cause an information leak, resulting in the disclosure of internal file paths.

CVE-2018-4069

The ACEManager authentication functionality is delivered in plaintext XML to the web server. An attacker can listen to network traffic upstream from the device, which may allow access to credentials.

Impact

• OS Command Injection
• Use of Hard-coded Credentials
• Unrestricted Upload of File with Dangerous Type
• Cross-site Scripting
•  Cross-site Request Forgery
• Information Exposure
• Missing Encryption of Sensitive Data

Affected Vendors

Sierra Wireless

Affected Products

AirLink ALEOS

Remediation

Refer to ICS advisory for the list of affected products and upgraded patches.

https://www.us-cert.gov/ics/advisories/ICSA-19-122-03