"Sierra:21" vulnerabilities target Critical infrastructure routers

Nowadays, 21 vulnerabilities have been identified in Sierra OT/IoT routers, posing a risk to critical infrastructure through denial-of-service attacks, cross-site scripting, unauthorized access, remote code execution, and authentication bypass.

Forescout Vedere Labs found vulnerabilities that impact TinyXML and OpenNDS (Open Network Demarcation Service), as well as Sierra Wireless AirLink cellular routers. Because of their high-performance 3G/4G/5G WiFi and multi-network connection, AirLink routers are well-regarded in the field of industrial and mission-critical applications.

Sierra routers are utilized in various industries, including manufacturing, emergency services, government systems, energy, transportation, water and wastewater, and healthcare, for complex scenarios requiring high-performance connectivity.

Faults and effects

Forescout researchers discovered 21 additional vulnerabilities in TinyXML and OpenNDS components, as well as Sierra AirLink cellular routers, which are included in other products.

The security issues are classified into three levels: critical, high severity, and medium risk.

The following is a summary of the most notable vulnerabilities:

  • CVE-2023-41101 (Remote Code Execution in OpenNDS – critical severity score of 9.6)
  • CVE-2023-38316 (Remote Code Execution in OpenNDS – high severity score of 8.8)
  • CVE-2023-40463 (Unauthorized Access in ALEOS – high severity score of 8.1)
  • CVE-2023-40464 (Unauthorized Access in ALEOS – high severity score of 8.1)
  • CVE-2023-40461 (Cross Site Scripting in ACEmanager – high severity score of 8.1)
  • CVE-2023-40458 (Denial of Service in ACEmanager – high severity score of 7.5)
  • CVE-2023-40459 (Denial of Service in ACEmanager – high severity score of 7.5)
  • CVE-2023-40462 (Denial of Service in ACEmanager related to TinyXML – high severity score of 7.5)
  • CVE-2023-40460 (Cross Site Scripting in ACEmanager – high severity score of 7.1)

Further, attackers don't need authentication to take advantage of at least five of the aforementioned vulnerabilities. Authentication is probably not needed for a few others that impact OpenNDS because typical attack scenarios include clients trying to connect to a network or service.

As per the researchers' findings, certain vulnerabilities may be used by an attacker "to take full control of an OT/IoT router in sensitive infrastructure." The compromise may lead to malware being employed, networks being degraded, spying being enabled, or spreading laterally to more notable assets.

The fact finders clarify that in addition to being exploited by human attackers, botnets can also employ these vulnerabilities for automated propagation, interaction with command-and-control servers, and DoS attacks.

Moreover, researchers from Forescout discovered over 86,000 AirLink routers exposed online in vital organizations involved in power distribution, vehicle tracking, trash management, and national health services after conducting a check on the Shodan search engine for digital devices.

The United States contributes to almost 80% of the vulnerable systems, with Canada, Australia, France, and Thailand following closely behind. Out of those, over 22,000 are vulnerable to man-in-the-middle attacks since they are utilizing an SSL certificate that is by default, and less than 8,600 have patched vulnerabilities that were made public in 2019.

Remediation advice

Generally, administrators are advised to upgrade to ALEOS version 4.17.0 or ALEOS 4.9.9, which fixes all issues except those affecting OpenNDS captive portals that create a barrier between the public internet and local area networks.

However, version 10.1.3 of the OpenNDS project contains security fixes for the susceptibilities affecting the open-source project. Always keep in mind that TinyXML is currently rejected, suggesting that the CVE-2023-40462 vulnerability of the project won't be fixed.

For further protection, Forescout suggests implementing the following additional steps:

  • Modify the pre-installed SSL certificate on Sierra Wireless routers and related devices.
  • Eliminate or restrict unnecessary features like captive portals, Telnet, and SSH.
  • To shield OT/IoT routers from online threats, install the firewall.
  • Establish a system that detects security breaches in both internal and external network traffic, taking into account OT/IoT.

In addition, Forescout has made available a technical report that describes the vulnerabilities and the circumstances that permit their exploitation. The company claims that threat actors are using confidential malware to launch assaults against routers and network infrastructure environments, using the devices for persistence and espionage. Commonly, routers are used by hackers as a way to expand their botnet or proxy harmful traffic.