Multiple vulnerabilities affecting Sierra Wireless AirLink routers

Sierra has launched a security alert mentioning that its AirLink router model, thought for Internet of Things (IoT) applications, are exposed to the exploitation of some known vulnerabilities, reported cyber forensics course specialists.

Vulnerabilities affecting AirLink devices are part of a list of 11 critical security flaws in Sierra Wireless routers, published a few days ago. In addition, the company mentions that vulnerabilities also impact other router models that use the same software (ALEOS).

This router model was designed to operate in integrated applications, such as data transmission in fleets of vehicles (patrol data collection, for example), application in industrial environments (real-time equipment tracking). For its part, the ALEOS software is responsible for operating the devices in real environments.

Sierra Wireless corrected seven vulnerabilities, two of them critical, cyber forensics course experts mentioned. As reported, if successfully exploited, these vulnerabilities would allow a threat actor to execute code remotely, extract users’ credentials, and find routes to system files.

The most severe vulnerabilities are a command-injection flaw in the operating system (tracked as CVE-2018-4061), as well as a flaw that allows hackers to load files without restriction. Vulnerabilities are considered critical and have received a score of 9.1/on the Common Vulnerability Scoring System (CVSS) scale.

According to cyber forensics course specialists, an attacker could easily exploit these vulnerabilities, using only a specially designed HTTP request to then load a file that will derive in the executable code loading.

The other vulnerabilities received average scores; these included a flaw to forge cross-site requests, a vulnerability to use encoded credentials, and an HTTP ping request error that allows a JavaScript to run in the user’s browser.

According to specialists from the International Institute of Cyber Security (IICS), the company also corrected two security flaws that impact all of its router models that could expose them to multiple variants of remote hacking.