External risk intelligence

NOVUS AirGate 4G exposes administrator login details, potentially leading to unauthorized control.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2023-24215

NOVUS AirGate 4G firmware has a critical flaw that lets anyone steal administrator passwords. This means unauthorized people could take control of your network access points.

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2023-24215

The NOVUS AirGate 4G is a gateway appliance typically deployed at the network edge. Because it provides network connectivity and administration functions, its management interface is often exposed to the public internet, either intentionally for remote access or through common misconfiguration, making the vulnerable endpoint reachable in many real-world deployments.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in NOVUS AirGate 4G firmware allows unauthenticated attackers to gain administrator credentials. An attacker could exploit this by sending a crafted request to a specific endpoint, potentially leading to unauthorized access and control of the device.

Exposed administrator credentials.
Affects internet-facing gateways.
Unauthenticated access possible.

Attack Path

How an attacker could exploit the issue

Unauthenticated attackers can exploit this flaw by sending a specially crafted POST request to the `/uci/get/` endpoint on vulnerable NOVUS AirGate 4G devices. This allows them to bypass authentication and retrieve administrator credentials, giving them full control over the device.

Target the `/uci/get/` endpoint.
No authentication required.
Obtain admin credentials.

Live Threat

Current exploitation, exposure, and threat context

Attackers are likely to target this vulnerability due to its critical severity and direct pathway to administrator credentials without authentication. The exposure of this endpoint via the network allows for easy remote exploitation, making it an attractive target for compromising network infrastructure. There is currently no indication of widespread exploitation, but the clear exploit path suggests potential for future weaponization.

Public exploit details are available.
No observed exploitation signals yet.
Recency signal is from recent disclosure.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate investigation and containment for affected NOVUS AirGate 4G devices. The vulnerability allows unauthenticated attackers to gain administrator credentials, posing a critical risk of complete system compromise. Teams should focus on identifying all instances of this firmware version and isolating them from the network to prevent exploitation.

Check network logs for suspicious /uci/get/ requests.
Isolate or disconnect affected devices.
Monitor for unauthorized administrative access.

Frequently asked questions

What is the NOVUS AirGate 4G and its role?

The NOVUS AirGate 4G is an industrial cellular network VPN router designed for secure remote access to distributed applications and industrial equipment. It ensures constant and reliable connectivity in environments with limited network infrastructure, offering features like dual SIM with automatic failover, integrated VPN, and SMS notifications. It also provides security functions such as a firewall and data encryption to protect exchanged information.

How does CVE-2023-24215 lead to credential theft?

CVE-2023-24215 is an incorrect access control vulnerability (CWE-284) affecting NOVUS AirGate 4G firmware v1.1.16. It allows unauthenticated attackers to obtain administrator credentials by sending a specific POST request to the /uci/get/ endpoint on affected devices.

What is the attack path for CVE-2023-24215?

An attacker can exploit CVE-2023-24215 by sending a crafted POST request to the `/uci/get/` endpoint of the vulnerable NOVUS AirGate 4G. This bypasses authentication, allowing the attacker to retrieve administrator credentials.

What is the relevance of CVE-2023-24215?

The NOVUS AirGate 4G, often deployed at network edges, provides critical connectivity and administration functions. Because its management interface can be exposed to the internet, this vulnerability, which grants administrator credentials without authentication, poses a significant risk of unauthorized control and network compromise. The Halo Surface Signal indicates a 'Likely' exploitation risk due to the direct pathway to credentials and potential internet exposure of the device.

What are the recommended steps to mitigate CVE-2023-24215?

To mitigate CVE-2023-24215, restrict the AirGate 4G web management interface to trusted networks and block WAN access. Rotate administrator passwords on all affected devices after isolating management access. Audit device configurations for unauthorized changes and contact NOVUS for firmware updates beyond v1.1.16. Network logs should be checked for suspicious `/uci/get/` requests.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.