• Skip to primary navigation
  • Skip to content

NetMotion Software

  • SOLUTIONS
    • Zero trust access
    • Experience monitoring
    • Enterprise VPN
    • SASE
  • PLATFORM
    • NetMotion cloud
    • How it works
    • Devices & deployment
    • Analytics & visibility
    • Policy controls
  • COMPANY
    • About
    • Customers
    • Careers
    • News
    • Management
    • Contact
  • SECTORS
    • Legal
    • Finance
    • Public safety
    • Healthcare
    • Transport
    • Utilities
  • PARTNERS
    • Alliances
    • Resellers
    • Network operators
  • INSIGHTS
    • Blog
    • Reports
    • Analysts
    • Case studies
    • Webinars
    • Videos
  • DEMO
  • SUPPORT

8 February 2021 Update: Security vulnerabilities in Mobility web servers prior to 11.73 / 12.02

January 25, 2021

Summary:

On November 19, 2020, NetMotion alerted customers to security vulnerabilities in the Mobility web server and released updates for Mobility v11.x and v12.x to address them.

The CVSS 3.1 base score for these vulnerabilities is 8.1 (High)

The vulnerabilities were fixed in versions Mobility v11.73 and v12.02, which were released on November 19, 2020. Customers should upgrade immediately to these or later versions. 

Download the updated versions of Mobility servers from the NetMotion customer portal, or contact support for assistance. Consult the Mobility v11.73 and v12.02 or later documentation for guidance on securely configuring your Mobility deployment. 

In addition, customers should verify that their Mobility servers are behind a commercial firewall and that only the VPN port is exposed to untrusted networks. The default port for the VPN is UDP 5008.  If you have changed the default VPN port, ensure that only the VPN port is exposed.  

Details

Prior to Mobility v11.73 and v12.02, attackers with access to the Mobility web server, which hosts the Mobility management console and some inter-server communications processes, could exploit Java deserialization vulnerabilities. Successful exploitation results in remote code execution with system privileges without prior authentication. Customers who have followed NetMotion’s recommendations for secure deployment are only vulnerable to this attack from inside their protected network where the Mobility web server is deployed. 

Mobility v11.73 and v12.02 fixed these vulnerabilities and mitigated future exploitation of this class of attack by implementing a safe Java object reader and cryptographic validation of input prior to deserialization where appropriate.

NetMotion thanks SSD Disclosure for their professionalism in bringing these vulnerabilities to our attention, working with us under the principles of responsible disclosure, and ensuring that our customers had an opportunity to update their systems prior to releasing any details.

For more details on these vulnerabilities, visit SSD Disclosure. https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/

CVE-2021-26912

CVE-2021-26913

CVE-2021-26914

CVE-2021-26915

CVSS 3.1 Vector String: 

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

For more information, please contact securityresponse@netmotionsoftware.com

<– View all security advisories

Meet the secure virtual private network that's purpose-built for mobile workers. Your free evaluation of NetMotion Mobility® starts here.

Keep Reading

Creating a Cyber Security Culture with former Arsenal F.C IT Director, Christelle Heikkila

Security

Demand for ZTNA continues its upward trajectory in 2022

Products/Solutions Remote Working Security

What does “cyber resilience” mean to Legal IT?

Security

  • Customer Portal
  • Knowledge Base
  • Support and Services
  • Training
  • Support Plans
  • Professional Services
  • Release updates
  • Security Advisories
  • Support Advisories
  • Supported Systems
  • Disclosure policy

Try the software for 30 days, for free


Get Started
  • SASE
  • Company
  • Sectors
  • Partners
  • Resources

Secure remote access, without sacrificing on experience.

LinkedIn Twitter instagram youtube Email
  • SASE
    • ZTNA
    • DEM
    • VPN
    • SD-WAN
    • SWG
    • FWaaS
    • CASB
  • Company
    • Customers
    • Careers
    • News
    • Management
    • Privacy
    • Legal
    • Manage preferences
  • Sectors
    • Law firms
    • Finance
    • Public safety
    • Healthcare
    • Transport
    • Utilities
  • Partners
    • Alliances
    • Resellers
    • Verizon
    • AT&T
    • Telstra
    • Rogers
    • Microsoft
  • Resources
    • Blog
    • Reports
    • Analysts
    • Case studies
    • Webinars
    • Videos
    • Support

© 2022 NetMotion Software