Vulnerability Alerts

CPSEC-20: NCM Account Automation assigns System Admin role to users on POD

01/18/2019

Summary: NetCloud Manager (NCM) system administrator was been changed without notifying the client system administrator. A defect was released to production that allowed certain provisioning services to modify an existing account's System Administrator to match the user listed as the 'Shipping Contact' on a Purchase Order processed by Operations.

Identified: Benjamin A. Fischer, Indiana Department of Transportation.

Mitigation: A code fix within Accounts Service and Provisioning Service were deployed to production. Provisioning Service would always check for the existence of an account before attempting to provision System Administrators or any account users. Accounts Service would never allow additional users to be created on existing accounts during the Order/Subscription provisioning flow.

Cradlepoint Support

Knowledge Base Article (Requires login to view article.)

CPSEC-16: XSS Vulnerability on Cradlepoint Website

01/08/2019

Summary: Reflected Cross Site Scripting (XSS) Vulnerability. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. Identified by third party researcher Ketan Madhukar Mukane.

Mitigation: Remove the vulnerable page from the Cradlepoint website; no Advisory issued. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Cradlepoint Support

CPSEC-18: Libssh Vulnerability

11/09/2018

Summary: A vulnerability in libssh's server-side state machine before versions 0.7.6 and 0.8.4. Malicious agent could create channels without performing authentication, facilitating unauthorized access.

Mitigation: Although CP does use libssh coding, CP products are not vulnerable to this OBM or AAOBM service. CP uses client-side implementation and this specific vulnerability exploits server-side implementation. NCOS - Although we do use the libssh code, we use a separate Python authentication wrapper for authentication, and we are not vulnerable to this.

Knowledgebase Article

CVE-2018-10933 NIST/NDV Detail

CPSEC-18: Libssh Vulnerability

11/09/2018

Summary: A vulnerability in libssh's server-side state machine before versions 0.7.6 and 0.8.4. Malicious agent could create channels without performing authentication, facilitating unauthorized access.

Mitigation: Although CP does use libssh coding, CP products are not vulnerable to this OBM or AAOBM service. CP uses client-side implementation and this specific vulnerability exploits server-side implementation. NCOS - Although we do use the libssh code, we use a separate Python authentication wrapper for authentication, and we are not vulnerable to this.

Knowledge Base Article

CVE-2018-10933 NIST/NDV Detail

CPSEC-4: Weak Encryption of stored user passwords

10/20/2018

Summary: The passwords for local user accounts, stored locally on the router, were not effectively encrypted.

Mitigation: Involved changing admin and user passwords. Disable local and remote access to the router and restrict remote access to certain IP’s. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Base Article

CPSEC-3: Default admin password based on MAC address

10/20/2018

Summary: This vulnerability applied to customers who have not changed their default passwords. If the default password was changed, this vulnerability has a minimal network impact.

Mitigation: Involved avoiding using default admin or WiFi passwords, opting for passwords based on security best practices. NetCloud OS Patch available. After December 3, 2018 the default password scheme will be changed. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Base Article

CPSEC-2: Enabling Tech Support Mode

10/20/2018

Summary:  If an administrator or user enables “Tech Support Mode,” and this mode is not turned off through configuration or through a router reboot, a non-admin user can gain elevated privileges.

Mitigation: Involves disabling the “Tech Support Mode” and disable SSH as required. See Cradlepoint Support. NetCloud OS Patch available 10/1/2018 (6.6.4) for all affected products. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Base Article

CPSEC-1: Product Line Test Variables

10/20/2018

Summary: This vulnerability applied to customers who did not changed their default passwords. If passwords were changed from the default, this vulnerability will have nominal impact to the customers network.

Mitigation: Involved changing the default admin or WiFi passwords for those based on security best practices for administrative and WiFi access. NetCloud OS Patch for all current products listed above is scheduled for release in December 2018 (NCOS version 7.0.1).

Knowledge Base Article

CPSEC-15: Device population shares same SSL/TLS & SSH keys

10/19/2018

Summary: Cradlepoint devices are provisioned with SSL/TLS certificates and SSH host keys that are shared across subsets of the Cradlepoint device population. This sharing enables an attacker to recover the private key material from a device or firmware image and use it against another Cradlepoint administrator to implement a man-in-the-middle attack.

Mitigation: Involved upgrading to firmware version 7.0.0 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Base Article

CPSEC-14: Open SSL “Heartbleed” Vulnerability

10/19/2018

Summary: This vulnerability could allow attackers to monitor all information passed between a user and a web service or decrypt past traffic they have collected.

Mitigation: Involved upgrading to firmware version 5.1.1 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Base Article

CVE-2014-0160 NIST/NDV Detail