CVE-2021-37471: Denial of Console Availability Using Restricted Shell Escape Sequences

2021-11-09 00:00:57

SUMMARY:

An authenticated user on NetCloud OS (NCOS) versions before 7.21.80 can run restricted shell escape sequences that provide the authenticated user the capability to simultaneously deny availability to the device’s NetCloud Manager console, local console and SSH command-line. If your Cradlepoint device is configured for local administration and your NCOS credentials are default or have been compromised, a threat actor could use this vulnerability to perform a denial of service. However, the user is already authenticated as an NCOS admin and could make configuration changes that would result in the same denial of service.

 

---

 

Products Affected: Cradlepoint endpoints running NCOS versions earlier than 7.21.80

Recommendations: Upgrade to the latest NCOS version, change device default passwords, use strong passphrases, prevent unauthorized disclosure of credentials, disable local admin access on all NCOS LANs, and manage Cradlepoint endpoints from NetCloud Manager.

Related CVEs: CVE-2021-37471