Vulnerability Alerts

SUMMARY:

Cradlepoint devices running NetCloud OS (NCOS) use dnsmasq for domain resolution, domain caching and DHCP services on the local LAN. DNS is a configurable service within NCOS therefore possible configuration states and potential impacts are listed.

Public Disclosure: https://www.jsof-tech.com/disclosures/dnspooq/

Affected Components: NCOS versions up to 7.21.20

Recommendations:

• Promptly test and upgrade to the latest NCOS version upon release
• Disable (do not enable) DNSSEC until patched
• Authenticate clients to the LAN using 802.1X
• Do not configure firewall to expose DNS services (UDP port 53) on WAN interfaces

Default Configuration: DNSSEC disabled

• Cradlepoint Severity: Low/Medium (dependent upon environment)
• Potentially Impacted: Local LAN users, clients, and services
• Potential Attack Path: Local LAN
• Associated CVEs:
  • CVE-2020-25684
  • CVE-2020-25685
  • CVE-2020-25686

Modified Configuration: DNSSEC enabled

• Cradlepoint Severity: Medium/High (dependent upon environment)
• Potentially Impacted:
  • Device and sub-services
  • Local LAN users, clients, and services
• Potential Attack Path: Local LAN
• Associated CVEs:
  • CVE-2020-25681
  • CVE-2020-25682
  • CVE-2020-25683
  • CVE-2020-25687

Modified Configuration: DNS services exposed on WAN

• Cradlepoint Severity: Critical (dependent upon environment)
• Potentially Impacted: See above
• Potential Attack Paths:
  • WAN interfaces
  • Local LAN
• Associated CVEs: See above

Summary: Cradlepoint does not implement the Treck TCP/IP protocol stack in any of its products or services and is therefore unaffected by the Ripple20 Vulnerabilities.

Mitigation: No mitigation necessary.

Summary: Cradlepoint does not use a version of UPnP that is vulnerable to CVE-2020-12695 (aka CallStranger). CallStranger takes advantage of a Callback header value in the UPnP Subscribe function, allowing for possible data exfiltration, DDOS and/or scanning internal ports from Internet facing UPnP devices. However, customers who improperly configure NCOS to allow unsolicited inbound connectivity to a local UPnP device connected to a Cradlepoint router may be affected.

Mitigation: In NCOS, UPnP Gateway is disabled and the zone-based firewall is configured with an explicit deny for unsolicited inbound traffic by default. It is recommended that customers do not enable the UPnP Gateway service, unless necessary, and use NetCloud Manager’s Remote Connect feature or NetCloud Perimeter as a secure alternative to port forwarding and/or DMZ.

Device permitted enabling of “cproot” account through the “Add User” function built into administrative interface.

Summary: The device permitted enabling of the “cproot” account through the “Add User” functionality built in to the administrative interfaces.

Identified: New York City Cyber Command (NYC3) IBR1700 assessment results.

Impact: High: Enabling the “cproot” account in this way suppresses one of the significant alerts from the device about configuration events that pose a potential security risk.

Exploitability: Medium; in that an attacker must know the password of a device user; and knowledge of other alerts focusing on device modification still sent to the logging functionalities implemented by the device.

Mitigation: Fix added to NCOM – FW 7.1.10 version release addressing NYC3 recommendations.  Treat any device noting a successful login to the “cproot” account, without an identified maintenance window, as compromised and removed from service until completion of forensic analysis.

Incorporated and released into FW 7.1.10 (Aug/6/2019) to enable Admin Access to Networks with trusted users. Delegate all other users to Guest or like Networks without enabled Admin Access.

To update routers to 7.1.10, or above, to correct this vulnerability, see CP Knowledgebase article for details and instructions below.

Customer Community Article

Cradlepoint Support

Summary: NetCloud Manager (NCM) system administrator was been changed without notifying the client system administrator. A defect was released to production that allowed certain provisioning services to modify an existing account’s System Administrator to match the user listed as the ‘Shipping Contact’ on a Purchase Order processed by Operations.

Identified: Benjamin A. Fischer, Indiana Department of Transportation.

Mitigation: A code fix within Accounts Service and Provisioning Service were deployed to production. Provisioning Service would always check for the existence of an account before attempting to provision System Administrators or any account users. Accounts Service would never allow additional users to be created on existing accounts during the Order/Subscription provisioning flow.

Cradlepoint Support

Knowledge Article (Requires login to view article.)

Summary: Reflected Cross Site Scripting (XSS) Vulnerability. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. Identified by third party researcher Ketan Madhukar Mukane.

Mitigation: Remove the vulnerable page from the Cradlepoint website; no Advisory issued. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Cradlepoint Support

Summary: A vulnerability in libssh’s server-side state machine before versions 0.7.6 and 0.8.4. Malicious agent could create channels without performing authentication, facilitating unauthorized access.

Mitigation: Although CP does use libssh coding, CP products are not vulnerable to this OBM or AAOBM service. CP uses client-side implementation and this specific vulnerability exploits server-side implementation. NCOS – Although we do use the libssh code, we use a separate Python authentication wrapper for authentication, and we are not vulnerable to this.

Knowledge Article

CVE-2018-10933 NIST/NDV Detail

Summary: This vulnerability applied to customers who did not changed their default passwords. If passwords were changed from the default, this vulnerability will have nominal impact to the customers network.

Mitigation: Involved changing the default admin or WiFi passwords for those based on security best practices for administrative and WiFi access. NetCloud OS Patch for all current products listed above is scheduled for release in December 2018 (NCOS version 7.0.1).

Knowledge Base Article

Summary:  If an administrator or user enables “Tech Support Mode,” and this mode is not turned off through configuration or through a router reboot, a non-admin user can gain elevated privileges.

Mitigation: Involves disabling the “Tech Support Mode” and disable SSH as required. See Cradlepoint Support. NetCloud OS Patch available 10/1/2018 (6.6.4) for all affected products. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Article

Summary: This vulnerability applied to customers who have not changed their default passwords. If the default password was changed, this vulnerability has a minimal network impact.

Mitigation: Involved avoiding using default admin or WiFi passwords, opting for passwords based on security best practices. NetCloud OS Patch available. After December 3, 2018 the default password scheme will be changed. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Article