COVID-19 EMERGENCY RESPONSE We stand with our partners, business customers, and especially our first and emergency responders on the front lines of this crisis. Read More

Vulnerability Alerts

 

CPSEC-49: Tech Support Mode Warning Bypass

August 6, 2019

Device permitted enabling of “cproot” account through the “Add User” function built into administrative interface.

Summary: The device permitted enabling of the “cproot” account through the “Add User” functionality built in to the administrative interfaces.

Identified: New York City Cyber Command (NYC3) IBR1700 assessment results.

Impact: High: Enabling the “cproot” account in this way suppresses one of the significant alerts from the device about configuration events that pose a potential security risk.

Exploitability: Medium; in that an attacker must know the password of a device user; and knowledge of other alerts focusing on device modification still sent to the logging functionalities implemented by the device.

Mitigation: Fix added to NCOM – FW 7.1.10 version release addressing NYC3 recommendations.  Treat any device noting a successful login to the “cproot” account, without an identified maintenance window, as compromised and removed from service until completion of forensic analysis.

Incorporated and released into FW 7.1.10 (Aug/6/2019) to enable Admin Access to Networks with trusted users. Delegate all other users to Guest or like Networks without enabled Admin Access.

To update routers to 7.1.10, or above, to correct this vulnerability, see CP Knowledgebase article for details and instructions below.

Customer Community Article

Cradlepoint Support


CPSEC-20: NCM Account Automation assigns System Admin role to users on POD

January 18, 2019

Summary: NetCloud Manager (NCM) system administrator was been changed without notifying the client system administrator. A defect was released to production that allowed certain provisioning services to modify an existing account’s System Administrator to match the user listed as the ‘Shipping Contact’ on a Purchase Order processed by Operations.

Identified: Benjamin A. Fischer, Indiana Department of Transportation.

Mitigation: A code fix within Accounts Service and Provisioning Service were deployed to production. Provisioning Service would always check for the existence of an account before attempting to provision System Administrators or any account users. Accounts Service would never allow additional users to be created on existing accounts during the Order/Subscription provisioning flow.

Cradlepoint Support

Knowledge Article (Requires login to view article.)


CPSEC-16: XSS Vulnerability on Cradlepoint Website

January 8, 2019

Summary: Reflected Cross Site Scripting (XSS) Vulnerability. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. Identified by third party researcher Ketan Madhukar Mukane.

Mitigation: Remove the vulnerable page from the Cradlepoint website; no Advisory issued. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Cradlepoint Support


CPSEC-18: Libssh Vulnerability

November 9, 2018

Summary: A vulnerability in libssh’s server-side state machine before versions 0.7.6 and 0.8.4. Malicious agent could create channels without performing authentication, facilitating unauthorized access.

Mitigation: Although CP does use libssh coding, CP products are not vulnerable to this OBM or AAOBM service. CP uses client-side implementation and this specific vulnerability exploits server-side implementation. NCOS – Although we do use the libssh code, we use a separate Python authentication wrapper for authentication, and we are not vulnerable to this.

Knowledge Article

CVE-2018-10933 NIST/NDV Detail


CPSEC-1: Product Line Test Variables

October 20, 2018

Summary: This vulnerability applied to customers who did not changed their default passwords. If passwords were changed from the default, this vulnerability will have nominal impact to the customers network.

Mitigation: Involved changing the default admin or WiFi passwords for those based on security best practices for administrative and WiFi access. NetCloud OS Patch for all current products listed above is scheduled for release in December 2018 (NCOS version 7.0.1).

Knowledge Base Article


CPSEC-2: Enabling Tech Support Mode

Summary:  If an administrator or user enables “Tech Support Mode,” and this mode is not turned off through configuration or through a router reboot, a non-admin user can gain elevated privileges.

Mitigation: Involves disabling the “Tech Support Mode” and disable SSH as required. See Cradlepoint Support. NetCloud OS Patch available 10/1/2018 (6.6.4) for all affected products. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Article


CPSEC-3: Default admin password based on MAC address

Summary: This vulnerability applied to customers who have not changed their default passwords. If the default password was changed, this vulnerability has a minimal network impact.

Mitigation: Involved avoiding using default admin or WiFi passwords, opting for passwords based on security best practices. NetCloud OS Patch available. After December 3, 2018 the default password scheme will be changed. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Article


CPSEC-4: Weak Encryption of stored user passwords

Summary: The passwords for local user accounts, stored locally on the router, were not effectively encrypted.

Mitigation: Involved changing admin and user passwords. Disable local and remote access to the router and restrict remote access to certain IP’s. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Knowledge Article


CPSEC-7: Cross Site Scripting Mitigation

October 19, 2018

Summary: Cradlepoint’s security auditor, Carve Systems, discovered two occasions where the router’s User Interface was susceptible to an external attack.

Mitigation: Involved insuring that all routers are running firmware version 6.1.0 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

CVE – Various NIST/NVD Details


CPSEC-8: UPnP vulnerable to Denial of Service (DoS) attack

Summary: The version of Universal Plug and Play (UPnP) Cradlepoint used was vulnerable to a local DoS attack. Cradlepoint updated to a newer version.

Mitigation: Involved insuring that all routers are running firmware version 6.1.0 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.


Loading Image

Loading more articles