Forescout reports 21 vulnerabilities impacting Sierra Wireless AirLink cellular routers and a number of their open source components, including TinyXML and Open Network Demarcation Service (NDS).
Sierra OT/IoT routers play a central role in critical infrastructure, enabling high-performance 3G/4G/5G and WiFi connectivity. These assets are reportedly used across various sectors, including government systems, emergency services, energy, transportation, water and wastewater facilities, manufacturing units, and healthcare organizations.
The majority of exposed systems, approximately 80 percent, appear to be located in the United States, with other affected regions including Canada, Australia, France, and Thailand.
A potential compromise of these systems may result in a diverse set of threats, including:
Network disruption, preventing intended operators (e.g., state officials, healthcare workers, critical infrastructure operators, etc.) from communicating with remote servers, subsequently isolating them.
Espionage by enabling the installation of malware, such as a backdoor or trojan.
Malware deployment, including ransomware, which is presently a major threat for the US healthcare and critical infrastructure sector among others.
The vulnerabilities Forescout reports include remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks.
CVE-2023-41101 (Remote Code Execution in OpenNDS – CVSS: 9.6)
CVE-2023-38316 (Remote Code Execution in OpenNDS – CVSS: 8.8)
CVE-2023-40463 (Unauthorized Access in ALEOS – CVSS: 8.1)
CVE-2023-40464 (Unauthorized Access in ALEOS – CVSS: 8.1)
CVE-2023-40461 (Cross Site Scripting in ACEmanager – CVSS: 8.1)
CVE-2023-40458 (Denial of Service in ACEmanager – CVSS: 7.5)
CVE-2023-40459 (Denial of Service in ACEmanager – CVSS: 7.5)
CVE-2023-40462 (Denial of Service in ACEmanager related to TinyXML – CVSS: 7.5)
CVE-2023-40460 (Cross Site Scripting in ACEmanager – CVSS: 7.1)
Available remediation measures include upgrading to ALEOS (AirLink Embedded Operating System) version 4.17.0.
The disclosure of 21 vulnerabilities impacting OT/IoT employed in critical infrastructure was anticipated last November during the preparation of the Black Hat conference that is now ongoing in London, England. However, Clipeus has no information to confirm whether these are the same 21 vulnerabilities referenced by Fourescout.