Security Alerts

SUMMARY: Cradlepoint devices running NetCloud OS (NCOS) use dnsmasq for domain resolution, domain caching and DHCP services on the local LAN. DNS is a configurable service within NCOS therefore possible configuration states and potential impacts are listed.     Public Disclosure: https://www.jsof-tech.com/disclosures/dnspooq/ Affected Components: NCOS versions up to 7.21.20 Recommendations: Promptly test and upgrade to […]

Summary: Cradlepoint does not implement the Treck TCP/IP protocol stack in any of its products or services and is therefore unaffected by the Ripple20 Vulnerabilities. Mitigation: No mitigation necessary.

Summary: Cradlepoint does not use a version of UPnP that is vulnerable to CVE-2020-12695 (aka CallStranger). CallStranger takes advantage of a Callback header value in the UPnP Subscribe function, allowing for possible data exfiltration, DDOS and/or scanning internal ports from Internet facing UPnP devices. However, customers who improperly configure NCOS to allow unsolicited inbound connectivity […]

Device permitted enabling of “cproot” account through the “Add User” function built into administrative interface. Summary: The device permitted enabling of the “cproot” account through the “Add User” functionality built in to the administrative interfaces. Identified: New York City Cyber Command (NYC3) IBR1700 assessment results. Impact: High: Enabling the “cproot” account in this way suppresses one of the […]

Summary: NetCloud Manager (NCM) system administrator was been changed without notifying the client system administrator. A defect was released to production that allowed certain provisioning services to modify an existing account’s System Administrator to match the user listed as the ‘Shipping Contact’ on a Purchase Order processed by Operations. Identified: Benjamin A. Fischer, Indiana Department of […]

Summary: Reflected Cross Site Scripting (XSS) Vulnerability. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. Identified by third party researcher Ketan Madhukar Mukane. Mitigation: Remove the vulnerable page from the Cradlepoint website; no Advisory issued. For more information or instructions on these mitigation […]

Summary: A vulnerability in libssh’s server-side state machine before versions 0.7.6 and 0.8.4. Malicious agent could create channels without performing authentication, facilitating unauthorized access. Mitigation: Although CP does use libssh coding, CP products are not vulnerable to this OBM or AAOBM service. CP uses client-side implementation and this specific vulnerability exploits server-side implementation. NCOS – Although we […]

Summary: This vulnerability applied to customers who did not changed their default passwords. If passwords were changed from the default, this vulnerability will have nominal impact to the customers network. Mitigation: Involved changing the default admin or WiFi passwords for those based on security best practices for administrative and WiFi access. NetCloud OS Patch for all current […]

Summary:  If an administrator or user enables “Tech Support Mode,” and this mode is not turned off through configuration or through a router reboot, a non-admin user can gain elevated privileges. Mitigation: Involves disabling the “Tech Support Mode” and disable SSH as required. See Cradlepoint Support. NetCloud OS Patch available 10/1/2018 (6.6.4) for all affected products. For […]

Summary: This vulnerability applied to customers who have not changed their default passwords. If the default password was changed, this vulnerability has a minimal network impact. Mitigation: Involved avoiding using default admin or WiFi passwords, opting for passwords based on security best practices. NetCloud OS Patch available. After December 3, 2018 the default password scheme will be […]