COVID-19 EMERGENCY RESPONSE We stand with our partners, business customers, and especially our first and emergency responders on the front lines of this crisis. Read More

Vulnerability Alerts

 

CPSEC-284: Cradlepoint Unaffected by Ripple20 Vulnerabilities

June 30, 2020

Summary: Cradlepoint does not implement the Treck TCP/IP protocol stack in any of its products or services and is therefore unaffected by the Ripple20 Vulnerabilities.

Mitigation: No mitigation necessary.


CPSEC-278: Cradlepoint Not Vulnerable to CVE-2020-12695 (aka CallStranger)

June 17, 2020

Summary: Cradlepoint does not use a version of UPnP that is vulnerable to CVE-2020-12695 (aka CallStranger). CallStranger takes advantage of a Callback header value in the UPnP Subscribe function, allowing for possible data exfiltration, DDOS and/or scanning internal ports from Internet facing UPnP devices. However, customers who improperly configure NCOS to allow unsolicited inbound connectivity to a local UPnP device connected to a Cradlepoint router may be affected.

Mitigation: In NCOS, UPnP Gateway is disabled and the zone-based firewall is configured with an explicit deny for unsolicited inbound traffic by default. It is recommended that customers do not enable the UPnP Gateway service, unless necessary, and use NetCloud Manager’s Remote Connect feature or NetCloud Perimeter as a secure alternative to port forwarding and/or DMZ.


CPSEC-49: Tech Support Mode Warning Bypass

August 6, 2019

Device permitted enabling of “cproot” account through the “Add User” function built into administrative interface.

Summary: The device permitted enabling of the “cproot” account through the “Add User” functionality built in to the administrative interfaces.

Identified: New York City Cyber Command (NYC3) IBR1700 assessment results.

Impact: High: Enabling the “cproot” account in this way suppresses one of the significant alerts from the device about configuration events that pose a potential security risk.

Exploitability: Medium; in that an attacker must know the password of a device user; and knowledge of other alerts focusing on device modification still sent to the logging functionalities implemented by the device.

Mitigation: Fix added to NCOM – FW 7.1.10 version release addressing NYC3 recommendations.  Treat any device noting a successful login to the “cproot” account, without an identified maintenance window, as compromised and removed from service until completion of forensic analysis.

Incorporated and released into FW 7.1.10 (Aug/6/2019) to enable Admin Access to Networks with trusted users. Delegate all other users to Guest or like Networks without enabled Admin Access.

To update routers to 7.1.10, or above, to correct this vulnerability, see CP Knowledgebase article for details and instructions below.

Customer Community Article

Cradlepoint Support


CPSEC-20: NCM Account Automation assigns System Admin role to users on POD

January 18, 2019

Summary: NetCloud Manager (NCM) system administrator was been changed without notifying the client system administrator. A defect was released to production that allowed certain provisioning services to modify an existing account’s System Administrator to match the user listed as the ‘Shipping Contact’ on a Purchase Order processed by Operations.

Identified: Benjamin A. Fischer, Indiana Department of Transportation.

Mitigation: A code fix within Accounts Service and Provisioning Service were deployed to production. Provisioning Service would always check for the existence of an account before attempting to provision System Administrators or any account users. Accounts Service would never allow additional users to be created on existing accounts during the Order/Subscription provisioning flow.

Cradlepoint Support

Knowledge Article (Requires login to view article.)


CPSEC-16: XSS Vulnerability on Cradlepoint Website

January 8, 2019

Summary: Reflected Cross Site Scripting (XSS) Vulnerability. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. Identified by third party researcher Ketan Madhukar Mukane.

Mitigation: Remove the vulnerable page from the Cradlepoint website; no Advisory issued. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Cradlepoint Support


CPSEC-18: Libssh Vulnerability

November 9, 2018

Summary: A vulnerability in libssh’s server-side state machine before versions 0.7.6 and 0.8.4. Malicious agent could create channels without performing authentication, facilitating unauthorized access.

Mitigation: Although CP does use libssh coding, CP products are not vulnerable to this OBM or AAOBM service. CP uses client-side implementation and this specific vulnerability exploits server-side implementation. NCOS – Although we do use the libssh code, we use a separate Python authentication wrapper for authentication, and we are not vulnerable to this.

Knowledge Article

CVE-2018-10933 NIST/NDV Detail


CPSEC-1: Product Line Test Variables

October 20, 2018

Summary: This vulnerability applied to customers who did not changed their default passwords. If passwords were changed from the default, this vulnerability will have nominal impact to the customers network.

Mitigation: Involved changing the default admin or WiFi passwords for those based on security best practices for administrative and WiFi access. NetCloud OS Patch for all current products listed above is scheduled for release in December 2018 (NCOS version 7.0.1).

Knowledge Base Article


CPSEC-2: Enabling Tech Support Mode

Summary:  If an administrator or user enables “Tech Support Mode,” and this mode is not turned off through configuration or through a router reboot, a non-admin user can gain elevated privileges.

Mitigation: Involves disabling the “Tech Support Mode” and disable SSH as required. See Cradlepoint Support. NetCloud OS Patch available 10/1/2018 (6.6.4) for all affected products. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Article


CPSEC-3: Default admin password based on MAC address

Summary: This vulnerability applied to customers who have not changed their default passwords. If the default password was changed, this vulnerability has a minimal network impact.

Mitigation: Involved avoiding using default admin or WiFi passwords, opting for passwords based on security best practices. NetCloud OS Patch available. After December 3, 2018 the default password scheme will be changed. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Article


CPSEC-4: Weak Encryption of stored user passwords

Summary: The passwords for local user accounts, stored locally on the router, were not effectively encrypted.

Mitigation: Involved changing admin and user passwords. Disable local and remote access to the router and restrict remote access to certain IP’s. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Article


Loading Image

Loading more articles