• Skip to primary navigation
  • Skip to content

NetMotion Software

  • SOLUTIONS
  • PLATFORM
    • NetMotion cloud
  • COMPANY
  • SECTORS
  • PARTNERS
    • Alliances
    • Resellers
    • Network operators
  • INSIGHTS
    • Blog
  • DEMO

Security Advisory: CVE-2021-40067

September 10, 2021

Summary:

CVE-2021-40067: Incorrect access controls in Mobility read-write API.
NetMotion has released a server update for Mobility v12.x to remove a medium severity incorrect access control vulnerability in the Mobility /webcontrol API. Customers who hold a valid v12 license and who have manually enabled the /webcontrol API should upgrade to version v12.14 servers as soon as is practical. In addition, customers should verify that their Mobility servers are behind a commercial firewall and only the VPN port is exposed to untrusted networks. The default port for the VPN is UDP 5008. If you have changed the default VPN port, ensure only that VPN port is exposed.

Download the updated versions of Mobility servers from our customer portal, or contact support for assistance. Consult the v12.14 documentation for guidance on securely configuring your Mobility deployment.

Details:

CVE-2021-40067 is specific to v12.0 through v12.12 servers. The /webcontrol API contains controls for reading and modifying the current state of devices, users, groups, and connections. Any user with a valid NTLM credential can read and write to the /webcontrol API on the Mobility server if it has been manually enabled. The API is disabled by default. For a credential to be considered ‘valid’, the server on which the NMS console runs must be joined to a domain for which the attacker has credentials OR the attacker must have a valid local username and password on that server. Access to /webcontrol should be limited to members of the Administrators group or other group configured in the Mobility Management Tool.

For an attack to succeed, the following three things must be true:

  1. The administrator must have enabled the api. It is disabled by default.
  2. The attacker must have either access to a local account on the server or have access to a domain credential in a domain trusted by the server.
  3. The administrator must have disregarded our recommendations for secure systems deployment as described in the 11.70 and 12.10 documentation by exposing a management interface to an untrusted network.

Customers who have enabled the API, who have not followed NetMotion’s recommendations (v11.70 and v12.10) for the secure configuration and deployment of their Mobility servers, and who have exposed access to the server console to untrusted networks or IP addresses, are particularly vulnerable to this attack.

Customers who have manually enabled the /webcontrol API should download and install Mobility v12.14 servers to fix the vulnerability.

For more information, please contact securityresponse@netmotionsoftware.com or support@netmotionsoftware.com

<– View all security advisories

Meet the secure virtual private network that's purpose-built for mobile workers. Your free evaluation of NetMotion Mobility® starts here.

Keep Reading

Ransomware – the scourge of our times

Security

Creating a Cyber Security Culture with former Arsenal F.C IT Director, Christelle Heikkila

Security

Demand for ZTNA continues its upward trajectory in 2022

Products/Solutions Remote Working Security

  • Customer Portal
  • Knowledge Base
  • Support Advisories

Try the software for 30 days, for free


Get Started
  • SASE
  • Company
  • Sectors
  • Partners
  • Resources

Secure remote access, without sacrificing on experience.

LinkedIn Twitter instagram youtube Email
  • SASE
    • ZTNA
    • DEM
    • VPN
    • SD-WAN
    • SWG
    • FWaaS
    • CASB
  • Company
    • Customers
    • Careers
    • News
    • Management
    • Privacy
    • Legal
    • Manage preferences
  • Sectors
    • Law firms
    • Finance
    • Public safety
    • Healthcare
    • Transport
    • Utilities
  • Partners
    • Alliances
    • Resellers
    • Verizon
    • AT&T
    • Telstra
    • Rogers
    • Microsoft
  • Resources
    • Blog
    • Reports
    • Analysts
    • Case studies
    • Webinars
    • Videos
    • Support

© 2023 NetMotion Software