CVE-2018-4066

Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in the ACEManager web application of Sierra Wireless AirLink ES450 firmware version 4.9.3 [1][3]. The ACEManager lacks anti-CSRF headers, which would normally allow the server to verify that requests originate from the same session [3]. This affects the ES450 model running firmware 4.9.3; the GX450 and ES450 are all affected prior to version 4.9.4, according to CISA advisory [2].

Exploitation

An attacker can craft a malicious HTTP request and trick an authenticated user into executing it, for example by embedding the request in an email or on a website [1][3]. The victim must have an active session with the ACEManager and be logged in. No special network position is required beyond the ability to deliver the crafted link or page to the authenticated user [3]. The attacker does not need to be authenticated on the device itself.

Impact

Successful exploitation allows the attacker to perform privileged actions on the device as the authenticated user, such as modifying device configuration, changing routing settings, or managing certificates [3]. While the ACEManager is not accessible by default from the Cellular WAN, it is reachable over LAN or VPN [3]. The CVSS v3 score is 6.4, indicating a medium severity with high integrity and availability impact [3], though CISA notes a 9.1 for the overall ALEOS vulnerability set [2].

Mitigation

Sierra Wireless has addressed this vulnerability in AirLink ALEOS version 4.9.4 for GX450 and ES450 models [2]. The fix was released as part of an update that also addresses multiple other vulnerabilities [2]. Users should upgrade to firmware 4.9.4 or later. If upgrading is not immediately possible, network administrators should restrict access to the ACEManager web interface to trusted users only, and consider disabling remote access where not needed [3]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.