Several exploitable vulnerabilities exist in the Sierra Wireless AirLink ES450, an LTE gateway designed for distributed enterprise, such as retail point-of-sale or industrial control systems. These flaws present a number of attack vectors for a malicious actor, and could allow them to remotely execute code on the victim machine, change the administrator’s password and expose user credentials, among other scenarios. The majority of these vulnerabilities exist in ACEManager, the web server included with the ES450. ACEManager is responsible for the majority of interactions on the device, including device reconfiguration, user authentication and certificate management.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Sierra Wireless to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Sierra Wireless AirLink ES450 ACEManager iplogging.cgi command injection vulnerability (TALOS-2018-0746/CVE-2018-4061)

An exploitable command injection vulnerability exists in the ACEManager iplogging.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can inject arbitrary commands, resulting in arbitrary command execution. An attacker can send an authenticated HTTP request to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Sierra Wireless AirLink ES450 SNMPD hard-coded credentials vulnerability (TALOS-2018-0747/CVE-2018-4062)

A hard-coded credentials vulnerability exists in the SNMPD function of the Sierra Wireless AirLink ES450 FW 4.9.3. Activating SNMPD outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user. An attacker can activate SNMPD without any configuration changes to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Sierra Wireless AirLink ES450 ACEManager upload.cgi remote code execution vulnerability (TALOS-2018-0748/CVE-2018-4063)

An exploitable remote code execution vulnerability exists in the upload.cgi function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the web server. An attacker can make an authenticated HTTP request to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Sierra Wireless AirLink ES450 ACEManager upload.cgi unverified password change vulnerability (TALOS-2018-0749/CVE-2018-4064)

An exploitable unverified password change vulnerability exists in the ACEManager upload.cgi function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an unverified device configuration change, resulting in an unverified change of the `user` password on the device. An attacker can make an authenticated HTTP request to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Sierra Wireless AirLink ES450 ACEManager ping_result.cgi cross-site scripting vulnerability (TALOS-2018-0750/CVE-2018-4065)

An exploitable cross-site scripting vulnerability exists in the ACEManager ping_result.cgi function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP ping request can cause reflected JavaScript to be executed and run on the victim's browser. An attacker can exploit this by convincing a victim to click a link or embedded URL that redirects to the reflected cross-site scripting vulnerability.

For more information on this vulnerability, read the complete advisory here.

Sierra Wireless AirLink ES450 ACEManager cross-site request forgery vulnerability (TALOS-2018-0751/CVE-2018-4066)

An exploitable cross-site request forgery vulnerability exists in the ACEManager function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an authenticated user to perform privileged requests unknowingly, resulting in unauthenticated requests being requested through an authenticated user. Triggering this vulnerability may allow an attacker to get authenticated pages via an authenticated user.

For more information on this vulnerability, read the complete advisory here.

Sierra Wireless AirLink ES450 ACEManager template_load.cgi information disclosure vulnerability (TALOS-2018-0752/CVE-2018-4067)

An exploitable information disclosure vulnerability exists in the ACEManager template_load.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an information leak, resulting in the disclosure of internal paths and files. An attacker can make an authenticated HTTP request to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Sierra Wireless AirLink ES450 ACEManager information disclosure vulnerability (TALOS-2018-0753/CVE-2018-4068)

An exploitable information disclosure vulnerability exists in the ACEManager function of Sierra Wireless AirLink ES450 FW 4.9.3. An HTTP request can result in the disclosure of the default configuration for the device. An attacker can send an unauthenticated HTTP request to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Sierra Wireless AirLink ES450 ACEManager information exposure vulnerability (TALOS-2018-0754/CVE-2018-4069)

An information disclosure vulnerability exists in the ACEManager authentication functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The ACEManager authentication functionality is done in plaintext XML to the web server. An attacker can listen to network traffic upstream from the device to capitalize on this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Sierra Wireless AirLink ES450 ACEManager Embedded_Ace_Get_Task.cgi information disclosure vulnerability (TALOS-2018-0755/CVE-2018-4070, CVE-2018-4071)

An exploitable information disclosure vulnerability exists in the ACEManager Embedded_Ace_Get_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause information disclosure, resulting in the exposure of confidential information, including, but not limited to, plain text passwords and SNMP community strings. An attacker can make an authenticated HTTP request, or run the binary, to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Sierra Wireless AirLink ES450 ACEManager Embedded_Ace_Set_Task.cgi permission assignment vulnerability (TALOS-2018-0756/CVE-2018-4072, CVE-2018-4073)

An exploitable permission assignment vulnerability exists in the ACEManager Embedded_Ace_Set_Task.cgi function of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an arbitrary setting to write, resulting in the unverified changes to any system setting. An attacker can make an authenticated HTTP request, or run the binary as any user, to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Versions tested

Talos tested and confirmed that that the Sierra Wireless AirLink ES450 FW 4.9.3 is affected by these vulnerabilities.

Devices affected

Sierra Wireless has confirmed that multiple devices are affected by various subsets of these vulnerabilities including:

  • GX400
  • ES/GX440
  • LS300
  • ES/GX450
  • MP70
  • RV50/50X
  • LX40/60X

More thorough information about untested devices can be found through the Sierra Wireless advisories.  

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48600, 48635, 48614 - 48621, 48747