8 February 2021 Update: Security vulnerabilities in Mobility web servers prior to 11.73 / 12.02

Summary:

On November 19, 2020, NetMotion alerted customers to security vulnerabilities in the Mobility web server and released updates for Mobility v11.x and v12.x to address them.

The CVSS 3.1 base score for these vulnerabilities is 8.1 (High)

The vulnerabilities were fixed in versions Mobility v11.73 and v12.02, which were released on November 19, 2020. Customers should upgrade immediately to these or later versions.

Download the updated versions of Mobility servers from the NetMotion customer portal, or contact support for assistance. Consult the Mobility v11.73 and v12.02 or later documentation for guidance on securely configuring your Mobility deployment.

In addition, customers should verify that their Mobility servers are behind a commercial firewall and that only the VPN port is exposed to untrusted networks. The default port for the VPN is UDP 5008. If you have changed the default VPN port, ensure that only the VPN port is exposed.

Details

Prior to Mobility v11.73 and v12.02, attackers with access to the Mobility web server, which hosts the Mobility management console and some inter-server communications processes, could exploit Java deserialization vulnerabilities. Successful exploitation results in remote code execution with system privileges without prior authentication. Customers who have followed NetMotion’s recommendations for secure deployment are only vulnerable to this attack from inside their protected network where the Mobility web server is deployed.

Mobility v11.73 and v12.02 fixed these vulnerabilities and mitigated future exploitation of this class of attack by implementing a safe Java object reader and cryptographic validation of input prior to deserialization where appropriate.

NetMotion thanks SSD Disclosure for their professionalism in bringing these vulnerabilities to our attention, working with us under the principles of responsible disclosure, and ensuring that our customers had an opportunity to update their systems prior to releasing any details.

For more details on these vulnerabilities, visit SSD Disclosure. https://ssd-disclosure.com/ssd-advisory-netmotion-mobility-server-multiple-deserialization-of-untrusted-data-lead-to-rce/

CVSS 3.1 Vector String:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H