Forescout uncovers 21 Sierra Wireless router vulnerabilities
Forescout is urging enterprises to patch software for affected OT/IoT routers as attackers increasingly target edge devices to gain network access to critical infrastructure.
During an analysis of Sierra wireless routers, Forescout discovered 21 new vulnerabilities that are relatively easy to exploit but historically challenging for enterprises to address.
In research published Wednesday, Forescout's Vedere Labs detailed the vulnerabilities that range from medium to critical severity and affect Sierra Wireless AirLink cellular routers as well as some of its open source components, TinyXML and OpenNDS. Researchers warned that attackers could exploit some of the vulnerabilities to gain control of the operational technology (OT) and IoT devices, many of which are used to connect local networks for critical infrastructure through cellular connections.
While Forescout reported the vulnerabilities to Sierra and patches were released during the past month, the problem is pervasive. Forescout conducted a recent Shodan search that showed 86,174 vulnerable routers were exposed on the internet, including more than 60,000 in the U.S. More alarmingly, less than 10% of those exposed routers were confirmed to be patched against known vulnerabilities disclosed since 2019. Additionally, 80% of the devices were end of life, so patches are unavailable.
Forescout found affected devices in multiple critical infrastructure sectors such as manufacturing, healthcare, energy, transportation, water, emergency services and vehicle tracking. Researchers warned affected devices could be used to stream video remotely or connect to the internal networks of police vehicles.
The research highlighted an attack scenario against a healthcare organization. Using these vulnerabilities, attackers could take control of the router in a hospital to attack medical devices of patients and distribute malware. While just a scenario, Forescout said it is critical to secure edge devices.
Multiple CISA advisories published over the past year show attackers have increasingly targeted routers to gain initial access, deploy malware and conduct reconnaissance. In September, the government agency warned that a China-linked threat actor it tracks as BlackTech was targeting the firmware of network routers, including Cisco. The advisory emphasized the threat actor's skills at avoiding detection and leveraging the firmware to gain corporate-level access to companies in the U.S. and Japan. Another advisory published in April urged enterprises to patch vulnerable Cisco routers that were being exploited by Russian-backed APT 28, more commonly known as Fancy Bear.
A large component of the Sierra Wireless AirLink router research involved the Aleos Application Framework, which encompasses building blocks and tools developers can use to create applications inside the router. However, it appears recommended guidance is not being followed.
"While the ALEOS documentation recommends exposing Acemanager only within local networks, we found more than 86,000 Acemanager instances exposed directly to the internet," the research paper said. "Most of those devices (nearly 64%) run a version of ALEOS without the security patches for the vulnerabilities show in table 1 [past vulnerability disclosures for Sierra Wireless devices]."
The newly discovered Aleos vulnerabilities can be leveraged for DoS and cross-site scripting attacks. Two of the higher-severity vulnerabilities tracked as CVE-2023- 40463 and CVE-2023- 40464 can allow attackers to gain unauthorized access to an affected device.
Supply chain risks
Forescout researchers found the open source components in Sierra Wireless routers carried considerable risk. The routers contain software from TinyXML, an abandoned project that no longer develops patches, and OpenNDS, which is used to create a captive portal. Forescout found one OpenNDS vulnerability that received a critical CVSS score of 9.6. The remote code execution flaw, tracked as CVE-2023-41101, could be exploited in DoS attacks. More importantly, the vulnerabilities could pose a risk to the supply chain.
"Supply chain components, such as open-source software provided by third parties, can be very risky and increase the attack surface of critical devices, leading to vulnerabilities that may be hard for asset owners to track and mitigate," Forescout researchers wrote in an accompanying blog post.
Although it is challenging, Daniel dos Santos, Forescout's head of security research, advised original equipment manufacturers to be aware of all components used in the device to limit supply chain risks. He recommended regression testing and staying up to date with internal patches.
"For the end users, the thing is you have to rely on the manufacturers to be aware in the first place and to produce patches when needed, but [manufacturers] need to have their own controls as well," Santos said.
Before analyzing the products, Santos and other researchers created two categories --areas people had already examined in Sierra Wireless routers, and areas that had not yet been researched. Santos was not surprised a deep dive into the devices uncovered 21 new vulnerabilities, but he was surprised by what they found in places other researchers had already examined. "The more time you spend looking at a device like this, the more you will find," he said.
He attributed previous overlooks to the varying goals of research. Forescout's goal was to conduct a thorough review because Sierra is one of the most popular router manufacturers and the products are used for many different applications, including critical infrastructure. Santos applauded Sierra for its cooperation during the vulnerability disclosure process.
"Sierra was absolutely great to work with. I'm super happy to say that, because many times we deal with companies that are not so great," he said.
He added that Sierra swiftly released patches and is working with CISA to release an advisory on the flaws.
Mitigation recommendation
Santos recommended that enterprises prioritize the captive portal vulnerabilities because exploitation is the easiest and can lead to device takeover. The second-most exploitable of the 21 flaws are the ones that are related to web interface but require the attacker to have credentials. However, Santos emphasized that none of the vulnerabilities are very complex to exploit.
"The interesting thing about the web interface is that according to manufacturer's guidance, it should not even be exposed on the internet. It's something that should just be on a local network or via VPN, but we see more than 80,000 of those web interfaces exposed online," Santos said.
He attributed the high exposures to companies' lack of awareness and visibility into OT environments. Configuration and remote maintenance can be complicated and lead to unintended internet-facing devices. Additionally, it's common that companies will simply forget to remove an exposed device from the public internet.
Santos also expanded on the distressing 10% of confirmed patches in the wild, saying it's unlikely the other 90% will be patched. "We have some confirmation now, but anecdotally we heard previously from device manufacturers in the OT field that's what you can expect in terms of patches. It's at most 10%," he said. "I would expect it to be higher, but it's not. This was disheartening for me to see, and the worst part of the research was to see those actual numbers."
Forescout said complete protection against the new vulnerabilities requires companies to patch devices running the affected software. To address the ongoing timely patching problem, Santos said enterprises need to improve their visibility and implement effective risk assessment management. Because routers are perimeter devices that have a higher likelihood of exploitation, security should be a priority.
Although unrelated to the Sierra research, Forescout has also been tracking an interesting shift in the threat landscape. Santos warned that attackers have recently favored vulnerabilities and weaknesses in perimeter devices over phishing and valid credentials bought over the internet.
"The vulnerabilities and especially the recent vulnerabilities or even zero days in perimeter devices are getting massively exploited this year," he said. "When you have a vulnerability like that that doesn't require a lot of contact or preconditions to be exploited and you have 80,000 out there, you can easily make some damage."
Arielle Waldman is a Boston-based reporter covering enterprise security news.