CVE-2021-40066: Incorrect access controls in Mobility read-only API.
NetMotion has released a server update for Mobility v11.x and v12.x to remove a low severity incorrect access control vulnerability in the Mobility /webservice API. Customers should upgrade to either version v11.76 or v12.14 servers as soon as is practical. In addition, customers should verify that their Mobility servers are behind a commercial firewall and only the VPN port is exposed to untrusted networks. The default port for the VPN is UDP 5008. If you have changed the default VPN port, ensure only that VPN port is exposed.
Download the updated versions of Mobility servers from our customer portal, or contact support for assistance. Consult the v11.73 and v12.14 documentation for guidance on securely configuring your Mobility deployment.
CVE-2021-40066 is common to the v11x optional Analytics module’s server and the Mobility server console on v12.0 through v12.12. Any attacker with a valid NTLM credential and access to the effected components can read from the /webservice API. For a credential to be considered ‘valid’, the server on which the Analytics module runs or the server on which the NMS runs must be joined to a domain for which the attacker has credentials OR the attacker must have a valid local username and password on that server. Access to that API should be limited to members of the local Administrators group; in v12x this group is manually configurable. The API shows information on the current status of pool servers, devices, users, and sessions.
For an attack to succeed, the following two things must be true:
- The attacker must have either access to a local account on the server or have access to a domain credential in a domain trusted by the server.
- The administrator must have disregarded our recommendations for secure systems deployment as described in the 11.70 and 12.10 documentation by exposing a management interface to an untrusted network.
Customers who have not followed NetMotion’s recommendations (v11.76 and v12.14) for the secure configuration and deployment of their Mobility servers, and who have exposed access to the Mobility Analytics module or the server console web server to untrusted networks or IP addresses, are particularly vulnerable to this attack.
All customers should download and install updated versions of either the v11.x or v12.x servers to fix the vulnerability.
For more information, please contact firstname.lastname@example.org or email@example.com