In response to the critical security vulnerabilities discovered in the dnsmasq network service (CVE-2017-14491 and others), Cradlepoint has taken steps to incorporate the dnsmasq version 2.78 into its latest NetCloud OS.
By default configuration, this vulnerability cannot be exploited on the WAN unless a customer has changed WAN settings. However, if an attacker is on the LAN/Guest LAN and if exploited, this vulnerability could allow attackers to remotely execute code, forward the contents of process memory, or disrupt service on an affected router. As described in various sources, this flaw is difficult to trigger, requiring an attacker who controls a specific domain to send DNS requests to dnsmasq requiring it to cache replies from that domain. Through carefully constructing DNS requests and responses, dnsmasq could cause an internal buffer overflow using content influenced by the attacker.
More details can be found here: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html.
Cradlepoint recommends customers upgrade products to the upcoming NetCloud OS versions (available approximately 10/30/17) to mitigate this vulnerability. All router products are affected, including:
Note: Routers used in default configuration are not exposed on their WAN interfaces. Routers were exposed to their Local Network, including the Guest LAN (if enabled).
NetCloud Manager has been patched for all its own affected services. Usernames and passwords are not at risk.
NetCloud OS Patch Available 10/30/2017
- 6.4.2 – All products listed above
Remote NetCloud OS Upgrades
For remote devices, Cradlepoint recommends using NetCloud Manager to upgrade NetCloud OS, manage networks intelligently, and avoid costly truck rolls. If you haven’t deployed NetCloud Manager, you can start a free 30-day trial of NetCloud Manager
Interim Mitigation until NetCloud OS Release
Because malicious tools could be used to obtain passwords during this period, Cradlepoint recommends the following step to protect your network during the interim:
- Disable Guest Access via the NETWORKING > Local Networks > Local IP Networks tab
Once NetCloud OS is Available
- Upgrade to the latest NetCloud OS version
- Re-enable Guest Access if it was disabled
For more information please contact USAT Corp.-
For consultation on your next M2M / IoT project contact a USAT Representative
For all your M2M connectivity needs visit ExpressM2M a service of USAT