Sierra:21

 

Supply Chain Vulnerabilities in IoT/OT routers

Forescout’s Vedere Labs has identified 21 new vulnerabilities that affect OT/IoT routers and increase the risk exposure to critical infrastructure. The affected products are prevalent in multiple industries, particularly healthcare and manufacturing, but also technology, financial services, government, and power generation. The research details specific attack scenarios as well as potential mitigation techniques.

 

Watch the Webinar Read the Report

 

21

Vulnerabilities

86000+

Exposed devices

10%

Devices confirmed patched against previous vulnerabilities

Sierra:21 Webinar

Understanding and Mitigating the Risk of Vulnerabilities in OT/IoT Routers

Forescout Vedere Labs discovered 21 new vulnerabilities in OT/IoT routers, exposing over 86,000 devices across critical sectors like energy and healthcare to cyber threats. Watch Head of Security Research Daniel dos Santos unpack the significance of these vulnerabilities, potential attacker exploits, and crucial strategies for asset owners to mitigate risks in these essential network connections.

Numbers of Exposed Devices that Run ACEmanager Vs. the Security Patch Status of the Underlying ALEOS Versions

We found more than 86,000 of these routers exposed online in organizations such as power distribution, a national health system, waste management, retail, and vehicle tracking. Less than 10% of the total exposed routers are confirmed to be patched against known previous vulnerabilities found since 2019. For devices exposing a specific management interface (AT commands over Telnet), we see that 90% are end of life, which means they cannot be patched anymore.

Dive into the research

This new research confirms trends that Forescout Vedere Labs has been tracking and analyzing:
  • Risk is on the rise. Vulnerabilities (and consequently attacks) on routers and network infrastructure are on the rise.
  • Design and operations are often culprits. Vulnerabilities in OT/IoT devices often arise from design flaws or issues when parsing malformed input.
  • Supply chain is a critical vector. Supply chain components can be very risky and increase the attack surface of critical devices.

Sierra:21 Infographic

Risk Mitigation

To completely protect against these new vulnerabilities, your organization must patch devices running the affected software. In addition to patching, we recommend the following actions:
  • Change the default SSL certificate for Sierra Wireless routers and any other device in your network that relies on default certificates.
  • Disable captive portals and other services such as Telnet and SSH if they are not needed. If they are needed, limit access to those services.
  • Consider deploying a web application firewall in front of OT/IoT routers to prevent exploitation of web-based vulnerabilities, such as many of the XSS, command injections and DoS found in this research.
  • Deploy an OT/IoT-aware intrusion detection system (IDS) to monitor the connections between external networks and the routers, and connections between the routers and devices behind them. This helps detect signs of initial access leveraging the router along with signs of attackers using the router to further exploit critical devices.

FAQ

What is Sierra:21?

Forescout Research – Vedere Labs disclosed a set of 21 new vulnerabilities affecting Sierra Wireless AirLink cellular routers and some of their open source components, including TinyXML and OpenNDS, which are used in a variety of other products.

This new research confirms some trends we have been tracking:

  • Vulnerabilities on routers and network infrastructure are on the rise. Although most organizations are aware of the attack surface on their IT network infrastructure, many OT/IoT edge devices may not receive the same level of attention from security teams.
  • Vulnerabilities in OT/IoT devices are often the result of design flaws (such as the use of hardcoded credentials and certificates we saw in this research and previously in OT:ICEFALL), or issues when parsing malformed packets (such as CVE-2023-41101 in this research and the many we saw previously in Project Memoria).
  • Supply chain components, such as open-source software provided by third parties, can be very risky. As a result, they can increase the attack surface of critical devices, leading to vulnerabilities that may be hard for asset owners to track and mitigate.

What are OT/ IoT routers?

OT/IoT routers are used to connect critical local networks to the Internet via cellular connections such as 3G and 4G. These devices are used in multiple critical infrastructure sectors, such as government and commercial facilities, emergency services, energy, transportation, water and wastewater systems, manufacturing and healthcare. Sierra Wireless is the most popular vendor of these types of devices.


What is the impact of the vulnerabilities?

One vulnerability has critical severity (CVSS score 9.6) and nine have high severity. These vulnerabilities may allow attackers to steal credentials, take control of a router by injecting malicious code, persist on the device and use it as an initial access point into critical networks.

We found more than 86,000 Sierra Wireless AirLink routers exposed online in a range of organizations, including a national health system and those providing power distribution, waste management, retail, and vehicle tracking. Fewer than 10% of the total exposed routers are confirmed to be patched against known previous vulnerabilities. For devices exposing a specific management interface, we see that 80% are end of life, which means they cannot be patched anymore.

On Forescout Device Cloud, we see manufacturing and healthcare as the most affected industries.


What can organizations do to mitigate the risk from these vulnerabilities?

To completely protect against the new vulnerabilities, organizations must patch devices running the affected software. The OpenNDS project has released OpenNDS 10.1.3 containing fixes for all reported vulnerabilities. TinyXML is an abandoned open-source project, so the upstream vulnerabilities will not be fixed and must be addressed downstream by affected vendors. Sierra Wireless has released the following versions to address the new vulnerabilities:

  • ALEOS 4.17.0 containing fixes for all relevant vulnerabilities.
  • ALEOS 4.9.9 containing applicable fixes except for OpenNDS issues.

In addition to patching, we recommend the following actions:

  • Change the default SSL certificate for Sierra Wireless routers and any other device in your network that relies on default certificates.
  • Disable captive portals and other services such as Telnet and SSH if they are not needed. If they are needed, limit access to those services.
  • Consider deploying a web application firewall in front of OT/IoT routers to prevent exploitation of web-based vulnerabilities, such as many of the XSS, command injections and DoS found in this research.
  • Deploy an OT/IoT-aware intrusion detection system (IDS) to monitor the connections between external networks and the routers, and the connections between the routers and devices behind them. This helps to detect signs of initial access leveraging the router along with signs of attackers using the router to further exploit critical devices.

What should I do if a Forescout customer wants to speak with us about the vulnerabilities?

Forescout Research – Vedere Labs are available to speak with vendors and asset owners that are affected by these vulnerabilities. To set up a call, send an email to [email protected].


Where do I go for more information?

For more information on the vulnerabilities and mitigation strategies, reference our external blog.

 


How Forescout Can Help

To enable risk assessment and segmentation decisions, we added passive vulnerability matching to the CVE database for Forescout eyeInspect and Forescout Risk and Exposure solutions.

Forescout eyeInspect can also detect exploitation attempts against Sierra Wireless devices using the new ACEmanager Monitor script. eyeInspect detections can be forwarded to Forescout Threat Detection & Response (TDR), where they can be automatically correlated with telemetry and logs from a wide range of sources, including security tools, applications, infrastructure, cloud and other enrichment sources. It can then generate high-fidelity threats for analyst investigation.

Finally, Forescout TDR detections can be sent to Forescout eyeControl for automated remediation or restriction actions based on user-defined policies.

Book a Demo
Demo RequestForescout PlatformTop of Page