Security Bulletin - 2022-001: Activity Log Secrets Non-Public Information
Cradlepoint became aware of the potential for information not intended to be included in activity logs or to have been written to the logs on Cradlepoint routers running NCOS (NETCLOUD OPERATING SYSTEM) 7.21.40. or newer operating systems prior to October 21, 2022.
The issue stems from a change to the Cradlepoint NCOS configuration released on April 5th, 2021. This applied only if an Individual Configuration Change was made involving secrets, i.e., passwords, the secret would be recorded in the Activity Log in clear text. The secrets recorded in the Activity Logs would be items such as the passwords for configuration items like Wi-Fi or VPN tunnel passwords. NCM and NCOS passwords were not exposed in the Activity Logs. If you made Group Configuration Changes, your Cradlepoint routers are not affected by this issue. Any authenticated user of NetCloud Manager would have already been able to see these in the configuration within NetCloud Manager, however, it may not be expected for this information to be readable in the Activity Log.
In an abundance of caution and in an effort to enhance security Cradlepoint issued and applied a fix as of October 21, 2022. All secrets data in the individual configuration Activity Log have been masked to remove the ability to view the data in the Activity Logs for all Cradlepoint systems. As always, we encourage our customers to update and maintain current operating systems and change all default passwords to maintain good security hygiene.