New Sierra:21 vulnerabilities in OT/IoT routers put critical infrastructure at risk, says Forescout Vedere Labs

Forescout‘s Vedere Labs researchers have uncovered 21 fresh vulnerabilities that specifically target OT/IoT routers that can be found deployed across multiple critical infrastructure sectors. Among these Sierra:21 vulnerabilities, one is classified as critical severity, while nine are considered high severity and the remaining eleven are of medium severity. These routers are responsible for connecting critical local networks to the Internet through cellular connections like 3G and 4G. 

The Sierra:21 vulnerabilities primarily affect Sierra Wireless AirLink cellular routers and certain open-source components, including TinyXML and OpenNDS, which are utilized in various other products. These security vulnerabilities present substantial risks as they empower attackers to engage in a range of malicious activities. 

Exploiting these vulnerabilities could potentially enable attackers to pilfer credentials, seize control of a router through the injection of malicious code, establish persistence on the device, and utilize it as an initial access point to infiltrate critical networks. For instance, attackers can exploit the vulnerabilities to steal credentials, gain control over a router by injecting malicious code, establish persistence on the device, and even use it as an initial access point to infiltrate critical networks.

“More than 86,000 vulnerable routers are exposed online,” Forescout researchers said in their Wednesday technical report. “Less than 10% of the total exposed routers are confirmed to be patched against known previous vulnerabilities found since 2019, which indicates a large attack surface. Ninety percent of devices exposing a specific management interface (AT commands over Telnet) have reached end of life, meaning they cannot be further patched.”

Additionally, “more than 22,000 exposed devices use a default SSL certificate (one of the vulnerabilities we identified – CVE-2023-40464), which allows for man-in-the-middle attacks to hijack or tamper with data in transit to and from the router.”

Moreover, the affected devices can be found in multiple critical infrastructure sectors, such as manufacturing and healthcare, government and commercial facilities, energy and power distribution, transportation, water and wastewater systems, retail, emergency services, and vehicle tracking. Affected devices can also be used to stream video for remote video surveillance or to connect police vehicles to internal networks.

The Sierra:21 vulnerabilities can be grouped into five impact categories, including remote code execution (RCE), cross-site scripting (XSS), denial of service (DoS), unauthorized access, and authentication bypasses. The RCE vulnerabilities allow attackers to take full control of a device by injecting malicious code, while the XSS vulnerabilities may be used to inject malicious code on clients browsing the ACEmanager application, thus potentially stealing credentials. In the case of the DoS vulnerabilities, they may be used to crash ACEmanager for a variety of reasons from simple vandalism to more sophisticated multi-staged attacks. 

Unauthorized access, via design flaws, such as hardcoded credentials and private keys and certificates, can be used for performing man-in-the-middle attacks or to recover passwords by capable attackers. Lastly, authentication bypasses allow attackers to skip the authentication service of the captive portal service and connect to the protected WiFi network directly.

The researchers also outlined that attackers could leverage some of the Sierra:21 vulnerabilities to take full control of an OT/IoT router in critical infrastructure and achieve different goals such as network disruption, espionage, lateral movement, and further malware deployment. Apart from human attackers, these Sierra:21 vulnerabilities can also be used by botnets for automatic propagation, communication with command-and-control servers, and the launch of DoS attacks. Previous botnets such as IoTroop/Reaper have targeted exposed Sierra Wireless routers via default credentials and zero days.

Sierra Wireless, OpenNDS, and Nodogsplash have been very responsive, and the relevant vulnerabilities have been patched, Vedere Labs said in its report. “TinyXML is an abandoned project, so the upstream vulnerabilities will not be fixed and must be addressed downstream. Beyond patching, recommended mitigations include disabling WiFi captive portals, deploying web application firewalls, and using OT/IoT aware intrusion detection systems,” they added. 

The researchers noted that the latest research confirms some trends that they have been tracking. Vulnerabilities on routers and network infrastructure are on the rise. Vulnerabilities on network infrastructure have consistently ranked among the most exploited since at least 2020; state-sponsored actors have been developing custom malware to use routers for persistence and espionage, while cybercriminals are leveraging them for residential proxies and to form botnets. 

They added that although most organizations are aware of the attack surface on their IT network infrastructure, many OT/IoT edge devices may not receive the same level of attention from security teams.

Furthermore, the Sierra:21 vulnerabilities in OT/IoT devices often arise from design flaws, such as the use of hardcoded credentials and certificates we saw in this research and previously in OT:ICEFALL, or issues when parsing malformed packets and the many the researchers saw previously in Project Memoria. These latter vulnerabilities are easier to exploit in OT/IoT devices because of the lack of effective exploit mitigations.

The Vedera Labs researchers also flagged that supply chain components, such as open-source software provided by third parties, can be very risky and increase the attack surface of critical devices, leading to vulnerabilities that may be hard for asset owners to track and mitigate.

“Finding so many new vulnerabilities on software components of a well-studied device shows that device manufacturers, and in turn asset owners, must pay special attention to risks stemming from the software supply chain, both from open- and closed-source components,” the researchers wrote in a blog post. “Asset owners are the ones who, at the end, may get breached due to insecure devices on their networks, and currently, they must either depend on device manufacturers to adequately address supply chain vulnerabilities or implement their own risk mitigation strategies that do not rely exclusively on patching.”

Addressing mitigation actions, the researchers said that complete protection against the Sierra:21 vulnerabilities requires patching devices running the affected software. The OpenNDS project has released OpenNDS 10.1.3 containing fixes for all reported vulnerabilities, and the Nodogsplash project has released Nodogsplash 5.0.2 containing a fix for CVE-2023- 41101. TinyXML is an abandoned open-source project, so the upstream vulnerabilities will not be fixed and must be addressed downstream by affected vendors. 

Sierra Wireless released ALEOS 4.17.0, which includes fixes for all relevant vulnerabilities, and ALEOS 4.9.9, which contains applicable fixes except for OpeNDS issues as this version does not include OpenNDS to address new vulnerabilities.

In addition to patching, Forescout recommends changing the default SSL certificate for Sierra Wireless routers and any other device in the network that relies on default certificates; and disabling captive portals and other services, such as Telnet and SSH, if they are not needed. Alternatively, limit the access to those services if they are needed, and consider deploying a web application firewall in front of OT/IoT routers to prevent exploitation of web-based vulnerabilities, such as many of the XSS, command injections, and DoS found in this research. 

The researchers also suggest deploying an OT/IoT-aware intrusion detection system (IDS) to monitor both the connections between external networks and the routers as well as connections between the routers and devices behind them. This helps to detect signs of initial access leveraging the router, plus signs of attackers using the router to further exploit critical devices. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.