CVE-2017-6044
published 2017-06-30CVE-2017-6044: An Improper Authorization issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to…
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
4.26%
89.8th percentile
An Improper Authorization issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Several files and directories can be accessed without authentication, which may allow a remote attacker to perform sensitive functions including arbitrary file upload, file download, and device reboot.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sierra_wireless | airlink_raven_xe_firmware | <= - | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Several files and directories on Sierra Wireless AirLink Raven XE/XT are accessible without authentication — probe for unauthenticated GET/POST requests to device web interface paths (file upload, file download, reboot endpoints) as an indicator of exploitation attempts. ↗
- →The vulnerability is remotely exploitable with no authentication required (CVSS PR:N, UI:N) and public exploits are available — monitor for unauthenticated access attempts to Sierra Wireless AirLink Raven XE (pre-4.0.14) and Raven XT (pre-4.0.11) management interfaces from external/internet-facing sources. ↗
- →Credentials transmitted by affected devices are insufficiently protected and vulnerable to sniffing — monitor for cleartext credential exposure on the network from these devices. ↗
- ·Sierra Wireless confirmed the insufficiently protected credentials vulnerability (CVE-2017-6046) will NOT be patched — organizations must accept residual risk or implement compensating controls for credential sniffing on these devices. ↗
- ·Affected firmware versions are: AirLink Raven XE all versions prior to 4.0.14, and AirLink Raven XT all versions prior to 4.0.11 — use firmware version checks to identify vulnerable assets in the environment. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5vxj-c9wj-5m6q: An Improper Authorization issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4
ghsa_unreviewed·2022-05-13
CVE-2017-6044 [CRITICAL] CWE-285 GHSA-5vxj-c9wj-5m6q: An Improper Authorization issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4
An Improper Authorization issue was discovered in Sierra Wireless AirLink Raven XE, all versions prior to 4.0.14, and AirLink Raven XT, all versions prior to 4.0.11. Several files and directories can be accessed without authentication, which may allow a remote attacker to perform sensitive functions including arbitrary file upload, file download, and device reboot.
CISA ICS
Sierra Wireless AirLink Raven XE and XT
cisa_ics·2017-04-25
Sierra Wireless AirLink Raven XE and XT
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Sierra Wireless AirLink Raven XE and XT
Last RevisedApril 25, 2017
Alert CodeICSA-17-115-02
## CVSS v3 10.0
ATTENTION: Remotely exploitable/low skill level to exploit. Public exploits are available.
Vendor: Sierra Wireless
Equipment: AirLink Raven XE and XT
Vulnerabilities: Improper Authorization, Cross-Site Request Forgery, Insufficiently Protected Credentials
## REPOSTED INFORMATION
This advisory is a follow-up to the alert titled ICS-ALERT-16-182-01 Sierra Wireless AirLink Raven XE and XT Gateway Vulnerabilities that was published June 30, 2016, on the NCCIC/ICS-CERT web
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2017-06-30
Published