Get in Touch
New vulnerabilities discovered in wireless IIoT devices putting critical infrastructure at risk
Target Industry
Indiscriminate, opportunistic targeting.
Overview
Severity levels of specified vulnerabilities:
– CVE-2023-22600: Critical (CVSS v3 Score 10.0)
– CVE-2022-3703, CVE-2022-41607 and CVE-2022-40981: Critical (CVSS v3 Score 9.0)
– CVE-2022-46649 and CVE-2022-46650: (High CVSS v3 8.0)
A total of 38 security vulnerabilities have been discovered in wireless industrial internet of things (IIoT) devices, from four separate vendors, that could result in the emergence of significant attack surfaces for threat actors seeking to exploit operational technology (OT) environments.
Some of the security flaws open a remote access point that allows unauthenticated threat actors to establish a foothold. This allows them points from which to pivot laterally to other hosts within the compromised environment, and may result in wider access to internal OT networks.
Notable Vulnerabilities:
– ETIC Telecom’s Remote Access Server (RAS): CVE-2022-3703, CVE-2022-41607, and CVE-2022-40981
– Sierra Wireless AirLink Router – CVE-2022-46649 and CVE-2022-46650
– InHanf Networks InRouter 302 and InRouter 615 – CVE-2023-22600
Impact
– CVE-2022-3703: Successful exploitation of this vulnerability could allow a threat actor to perform directory traversal through several different methods, allowing the threat actor to read sensitive files from the server. These include SSH private keys, passwords, scripts, python objects and database files.
– CVE-2022-41607: Successful exploitation of this vulnerability could allow a threat actor to force the RAS web portal to accept malicious firmware packages that could provide backdoor access for threat actors and provide privilege escalation to the device.
– CVE-2022-40981: Successful exploitation of this vulnerability could lead to a malicious file upload. A threat actor could leverage this to store malicious files on the server. This could result in the override of sensitive and useful existing files on the filesystem, filling the hard disk to full capacity, or compromising the affected devices with administrator level privileges.
– CVE-2022-46649 and CVE-2022-46650: Successful exploitation of these vulnerabilities could lead to the manipulation of the IP logging operation to execute arbitrary shell commands on the device or the reconfiguration of the device to expose the ACEmanager credentials on the pre-login status page, respectively.
– CVE-2023-22600: The affected products use an unsecured channel to communicate with the cloud platform by default. An unauthorised user could intercept this communication and steal sensitive information, such as configuration information and MQTT credentials, resulting in MQTT command injection.
Vulnerability Detection
Security patches for the vulnerabilities mentioned have been released by the respective vendors. Previous versions (detailed below) remain vulnerable to exploitation.
Affected Products
– CVE-2022-3703, CVE-2022-41607 and CVE-2022-40981: ETIC Telecom RAS versions prior to 4.5.0.
– CVE-2022-46649 and CVE-2022-46650: Airlink Router (ES450, GX450) running ALEOS software: versions prior to 4.9.7. Airlink Router (MP70, RV50, RV50x, RV55, LX 40, LX60) running ALEOS software: versions prior to 4.16.0.
– CVE-2023-22600: InRouter 302: all versions prior to IR302 V3.5.56; InRouter 615: all versions prior to InRouter6XX-S-V2.3.0.r5542.
Containment, Mitigations & Remediations
CISA and the respective products’ vendors recommend that the following patching and mitigation steps are to be adhered to:
CVE-2022-3703, CVE-2022-41607 and CVE-2022-40981:
– Update the firmware of the affected devices to the following versions: ETIC Telecom RAS version 4.7
– Minimise network exposure for all control systems and ensure that they are not accessible from the internet
– Locate control system networks and remote devices behind firewalls and isolate them from business networks
– When remote access is required, use secure methods such as Virtual Private Networks (VPNs).
CVE-2022-46649 and CVE-2022-46650:
– Upgrade MP70, RV50, RV50x, RV55, LX 40, LX60 to ALEOS version 4.16.0 or later
– Upgrade ES450, GX450 to ALEOS version 4.9.8 or later
– Always use strong and unique random credentials for devices
– Disable access to ACEmanager on the wide area network (WAN) and use the Sierra Wireless Airlink Management System (ALMS) or an alternative device management platform for remote management of ALEOS devices
– If the ACEmanager is to remain accessible via the WAN, restrict access using measures such as Private APN, VPN, or the ALEOS Trusted IP feature.
CVE-2023-22600:
– InRouter302 users should update the firmware to IR302 V3.5.56 or later
– InRouter615 users should update the firmware to InRouter6XX-S-V2.3.0.r5542 or later
– Minimise network exposure for all control systems, and ensure they are not accessible from the internet
– Locate control system networks and remote devices behind firewalls and isolate them from business networks
– When remote access is required, use secure methods such as VPNs.
Indicators of Compromise
No specific Indicators of Compromise (IoC) are available at this time.
Threat Landscape
Currently, over 14 billion IoT devices are connected to the internet. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to develop exploits for. As a result, IoT devices have become a prime target for threat actors. Due to the fact that IoT devices have become an integral aspect of both personal and business affairs, threat actors will continue to exploit vulnerabilities in an attempt to exfiltrate sensitive data or impact on business operations.
Threat Group
No attribution to specific threat actors/groups has been identified at the time of writing.
Mitre Methodologies
TA0008 – Lateral Movement
TA0004 – Privilege Escalation
Execution:
T1059 – Command and Scripting Interpreter
Defense Evasion:
T1202 – Indirect Command Execution
Collection:
T1005 – Data from Local System
Further Information
Hacker News Article
CISA CVE-2022-3703, CVE-2022-41607 and CVE-2022-40981 Advisory
CISA CVE-2022-46649 and CVE-2022-46650 Advisory
CISA CVE-2023-22600 Advisory