Security Alerts

Summary: The passwords for local user accounts, stored locally on the router, were not effectively encrypted. Mitigation: Involved changing admin and user passwords. Disable local and remote access to the router and restrict remote access to certain IP’s. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support. Knowledge Article

Summary: Cradlepoint’s security auditor, Carve Systems, discovered two occasions where the router’s User Interface was susceptible to an external attack. Mitigation: Involved insuring that all routers are running firmware version 6.1.0 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support. CVE – Various NIST/NVD Details

Summary: The version of Universal Plug and Play (UPnP) Cradlepoint used was vulnerable to a local DoS attack. Cradlepoint updated to a newer version. Mitigation: Involved insuring that all routers are running firmware version 6.1.0 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support.

Summary: The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products and required a server to send a ServerVerify message before establishing the client possesses certain plaintext RSA data. This action makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka […]

Summary: A WiFi vulnerability issue has been published that affects WPA and WPA2 authentication. This security vulnerability is in a WiFi security protocol (WPA/WPA2) which Cradlepoint and most, if not all, WiFi devices use. Cradlepoint, noted limited attack surfaces. Mitigation: Involved insuring that all routers are running firmware version 6.4.2 or newer. Knowledge Article

Summary: When the HTTP Proxy Content Filtering is ENABLED in FW 5.3.0 – 5.3.3, a firewall rule is enabled that allows WAN access to the proxy. Mitigation: Involved upgrading firmware to a version newer than 5.3.3. Also, see the knowledge base article for adding a firewall rule. For more information or instructions on these mitigation steps, consult […]

Summary: Cradlepoint has addressed the critical security vulnerability known as “Bash bug” (CVE-2014-6271 & 7169). The Vulnerability Security Response team (VSR) noted that no Cradlepoint routers were affected. Mitigation: No mitigation or action required. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support. Knowledge Article CVE-2014-6271 NIST/NVD Detail CVE-2014-7169 […]

Summary: The OpenSSL project released an advisory on October 15th, 2014, which describes the newly discovered vulnerability (CVE-2014-3566). Some Cradlepoint products utilize OpenSSL and are affected by this advisory. Mitigation: Involved upgrading to firmware version 5.2.4 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support. Knowledge Article […]

Summary: This vulnerability could allow attackers to monitor all information passed between a user and a web service or decrypt past traffic they have collected. Mitigation: Involved upgrading to firmware version 5.1.1 or newer. For more information or instructions on these mitigation steps, consult the Cradlepoint Knowledgebase or contact Cradlepoint Support. Knowledge Article CVE-2014-0160 NIST/NDV Detail

Summary: Cradlepoint devices are provisioned with SSL/TLS certificates and SSH host keys that are shared across subsets of the Cradlepoint device population. This sharing enables an attacker to recover the private key material from a device or firmware image and use it against another Cradlepoint administrator to implement a man-in-the-middle attack. Mitigation: Involved upgrading to firmware version […]