CVE-2021-40067: Incorrect access controls in Mobility read-write API.
NetMotion has released a server update for Mobility v12.x to remove a medium severity incorrect access control vulnerability in the Mobility /webcontrol API. Customers who hold a valid v12 license and who have manually enabled the /webcontrol API should upgrade to version v12.14 servers as soon as is practical. In addition, customers should verify that their Mobility servers are behind a commercial firewall and only the VPN port is exposed to untrusted networks. The default port for the VPN is UDP 5008. If you have changed the default VPN port, ensure only that VPN port is exposed.
Download the updated versions of Mobility servers from our customer portal, or contact support for assistance. Consult the v12.14 documentation for guidance on securely configuring your Mobility deployment.
CVE-2021-40067 is specific to v12.0 through v12.12 servers. The /webcontrol API contains controls for reading and modifying the current state of devices, users, groups, and connections. Any user with a valid NTLM credential can read and write to the /webcontrol API on the Mobility server if it has been manually enabled. The API is disabled by default. For a credential to be considered ‘valid’, the server on which the NMS console runs must be joined to a domain for which the attacker has credentials OR the attacker must have a valid local username and password on that server. Access to /webcontrol should be limited to members of the Administrators group or other group configured in the Mobility Management Tool.
For an attack to succeed, the following three things must be true:
- The administrator must have enabled the api. It is disabled by default.
- The attacker must have either access to a local account on the server or have access to a domain credential in a domain trusted by the server.
- The administrator must have disregarded our recommendations for secure systems deployment as described in the 11.70 and 12.10 documentation by exposing a management interface to an untrusted network.
Customers who have enabled the API, who have not followed NetMotion’s recommendations (v11.70 and v12.10) for the secure configuration and deployment of their Mobility servers, and who have exposed access to the server console to untrusted networks or IP addresses, are particularly vulnerable to this attack.
Customers who have manually enabled the /webcontrol API should download and install Mobility v12.14 servers to fix the vulnerability.