Tech Support
Documentation
Login
Contact Us
Sierra Flaws Cyber Attack: Router Vulnerabilities Unveiled
Wajahat Raja
December 19, 2023 - TuxCare expert team
In a recent scrutiny of Sierra wireless routers, Forescout’s Vedere Labs uncovered 21 novel vulnerabilities that, though relatively straightforward to exploit, pose historical challenges for enterprises to rectify. Forescout’s Vedere Labs outlined these vulnerabilities, spanning from medium to critical severity, impacting Sierra Wireless AirLink cellular routers and some of its open-source components, namely TinyXML and OpenNDS. The critical sectors vulnerability raises significant concerns, as attackers could potentially exploit these vulnerabilities to assume control over operational technology (OT) and Internet of Things (IoT) devices. Many of these devices play a crucial role in connecting local networks for critical infrastructure through cellular connections. This blog post will cover the details of the Sierra flaws cyber attack as well as mitigation measures that will help stay secure.
Sierra Flaws Cyber Attack: Widespread Impact
Despite Forescout promptly reporting these vulnerabilities to Sierra and subsequent patches being released over the past month, the issue persists on a considerable scale. According to the Sierra security vulnerability update, specifically, the Shodan search conducted by Forescout exposed 86,174 vulnerable routers on the internet, with over 60,000 located in the U.S. Alarmingly, less than 10% of these routers were confirmed to be patched against known vulnerabilities disclosed since 2019. Furthermore, a staggering 80% of these devices had reached their end-of-life, making patches unavailable.
Flaws Impacting Critical Sectors
Forescout’s research identified that the Sierra flaws cyber attack poses threats to key sectors, including manufacturing, healthcare, energy, transportation, water, emergency services, and vehicle tracking. The potential ramifications are severe, with the possibility of attackers remotely streaming video or infiltrating the internal networks of police vehicles.
A vivid scenario outlined by Forescout involves a healthcare organization, emphasizing the vulnerabilities as an avenue for attackers to compromise routers in hospitals. This could lead to attacks on medical devices, the distribution of malware and pose a substantial threat to patient safety. Thus, protecting critical infrastructure has become increasingly important.
CISA Advisories and Growing Router Exploitations
Multiple advisories from the Cybersecurity and Infrastructure Security Agency (CISA) over the past year underscore the escalating focus of attackers on routers to gain initial access, deploy malware, and conduct reconnaissance.
In September, CISA warned of a China-linked threat actor, BlackTech, targeting router firmware, emphasizing the adeptness in avoiding detection and exploiting firmware to gain corporate-level access. Another advisory in April urged enterprises to patch vulnerable Cisco routers exploited by the Russian-backed APT 28, known as Fancy Bear.
Sierra Wireless AirLink Router
A pivotal aspect of Forescout’s research delves into the Aleos Application Framework, containing building blocks and tools for developers to create applications within the router. Despite the framework’s documentation recommending the exposure of Acemanager only within local networks, Forescout’s findings revealed more than 86,000 instances exposed directly to the internet. The majority of these devices (nearly 64%) ran a version of ALEOS without the security patches, exposing vulnerabilities disclosed in previous Sierra Wireless devices.
Supply Chain Risks and Open Source Components
Forescout researchers uncovered significant risks associated with the open-source components in Sierra Wireless routers as well as the Sierra OS security concerns. These routers incorporate software from TinyXML, an abandoned project with no ongoing patch development, and OpenNDS, utilized for creating captive portals.
One critical vulnerability in OpenNDS, with a CVSS score of 9.6, could be exploited in denial-of-service (DoS) attacks, posing an additional risk to the supply chain. The researchers emphasized the potential difficulty for asset owners to track and mitigate vulnerabilities arising from third-party open-source software.
Addressing Supply Chain Risks
Daniel dos Santos, Forescout’s Head of Security Research, stressed the need for original equipment manufacturers (OEMs) to be vigilant about all components used in their devices to mitigate supply chain risks. He recommended regression testing and staying abreast of internal patches to enhance security measures. For end-users, Santos highlighted the reliance on manufacturers for awareness and timely patch production. He suggested a dual responsibility, urging manufacturers to proactively address vulnerabilities while emphasizing the importance of internal controls.
Mitigation Recommendations for Enterprises
Santos advised enterprises to prioritize addressing captive portal vulnerabilities, considering their ease of exploitation and potential to lead to device takeover. Among the 21 identified flaws, vulnerabilities related to web interfaces requiring attacker credentials were deemed the second-most exploitable. However, Santos underscored that none of the vulnerabilities were excessively complex to exploit. The exposure of over 80,000 web interfaces online was attributed to companies’ lack of awareness and visibility into Operational Technology (OT) environments.
Timely Patching Challenges and Enhanced Security Measures
Highlighting the distressing reality of only 10% of confirmed patches in the wild, Santos expressed skepticism about the likelihood of the remaining 90% being patched. Forescout emphasized the imperative need for companies to patch devices running the affected software comprehensively, securing systems from Sierra flaws cyber attack.
Santos recommended that enterprises enhance their visibility and implement effective risk assessment management to address the ongoing challenge of timely patching. With routers being prominent perimeter devices susceptible to exploitation, Santos emphasized the critical importance of prioritizing security measures.
While unrelated to the Sierra research, Forescout has observed a noteworthy shift in the cybersecurity threats in Sierra. Attackers increasingly target vulnerabilities and weaknesses in perimeter devices rather than relying on phishing or acquiring valid credentials. Santos highlighted the mass exploitation of recent vulnerabilities or even zero days in perimeter devices, emphasizing the potential for substantial damage due to the sheer number of exposed devices.
Conclusion
In conclusion, the Sierra flaws cyber attack risks underscore the critical need for proactive security measures, collaborative efforts between manufacturers and end-users, and heightened awareness of supply chain risks. As the threat landscape evolves, the importance of timely patching, comprehensive cyber attack risk assessment, and visibility into network environments becomes paramount to safeguarding critical infrastructure and sensitive data.
The sources for this piece include articles in The Hacker News and TechTarget.
