NetComm Wireless created new firmware to mitigate multiple vulnerabilities in its 4G LTE Light Industrial M2M Router, according to a report with NCCIC.
The remotely exploitable vulnerabilities are information exposure, cross-site request forgery, cross-site scripting, and information exposure through directory listing.
Successful exploitation of these vulnerabilities, discovered by Aditya K. Sood, could allow for the exposure of sensitive information.
A cellular router 4G LTE Light Industrial M2M Router (NWL-25) with firmware 22.214.171.124 and prior suffer from the issues.
In one vulnerability, the device allows access to configuration files and profiles without authenticating the user.
CVE-2018-14782 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, a cross-site request forgery condition can occur, allowing an attacker to change passwords of the device remotely.
CVE-2018-14783 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
Also, the device is vulnerable to several cross-site scripting attacks, allowing a remote attacker to run arbitrary code on the device.
CVE-2018-14784 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.
In addition, the directory of the device is listed openly without authentication.
CVE-2018-14785 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use mainly in the communications sector, but on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Australia-based NetComm Wireless released a new firmware version to mitigate the vulnerabilities. Affected users can click here to download the firmware.