Detect Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation in Google Chronicle
Detects exploitation of CVE-2018-4063, an unrestricted file upload vulnerability (CWE-434) in Sierra Wireless AirLink ALEOS firmware. Attackers can upload files with dangerous types via the ACEmanager web interface, enabling remote code execution on cellular gateway devices. This vulnerability is listed in CISA KEV and has been exploited in the wild against critical infrastructure.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2018_4063_aleos_unrestricted_upload {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2018-4063: Sierra Wireless AirLink ALEOS unrestricted file upload exploitation via ACEmanager"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://www.cisa.gov/news-events/ics-advisories/icsa-19-122-03"
cve = "CVE-2018-4063"
mitre_attack = "T1190, T1059"
events:
$http.metadata.event_type = "NETWORK_HTTP"
$http.network.http.method = "POST"
(
$http.network.http.request_url = /acemanager/i
or $http.network.http.request_url = /\/upload/i
or $http.network.http.request_url = /\/cgi-bin/i
or $http.network.http.request_url = /\/firmware/i
)
(
$http.network.http.request_url = /\.php$/i
or $http.network.http.request_url = /\.asp$/i
or $http.network.http.request_url = /\.aspx$/i
or $http.network.http.request_url = /\.jsp$/i
or $http.network.http.request_url = /\.cgi$/i
or $http.network.http.request_url = /\.sh$/i
or $http.network.http.request_url = /\.elf$/i
or $http.network.http.request_url = /\.py$/i
)
$http.network.application_protocol = "HTTP" or $http.network.application_protocol = "HTTPS"
$http.principal.ip = $source_ip
$http.target.ip = $dest_ip
condition:
$http
}Chronicle YARA-L rule detecting HTTP POST requests with dangerous file extensions targeting Sierra Wireless AirLink ALEOS management URLs, consistent with CVE-2018-4063 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Authorized ACEmanager firmware upgrade sessions performed during maintenance windows
- Network administrator CGI script uploads for legitimate ALEOS configuration tasks
- Security operations center personnel conducting authorized exploit verification in isolated lab environments
- Vendor-initiated remote support sessions involving file transfers to ALEOS devices
Other platforms for CVE-2018-4063
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate File Upload to ALEOS ACEmanager Endpoint
Expected signal: HTTP POST to port 9443 with multipart/form-data body containing a .php file extension; network flow from attacker IP to ALEOS management IP
- Test 2Upload ELF Binary to ALEOS CGI Directory
Expected signal: POST request to /cgi-bin/upload with Content-Disposition header containing filename ending in .elf; successful HTTP 200 response if device is unpatched
- Test 3Enumerate ALEOS ACEmanager Upload Endpoints
Expected signal: Sequential GET requests from a single source IP to multiple ALEOS management paths within a short time window; HTTP response codes indicating which paths are accessible
References (4)
- https://www.cisa.gov/news-events/ics-advisories/icsa-19-122-03
- https://source.sierrawireless.com/resources/airlink/software_reference_docs/technical-bulletin/sierra-wireless-technical-bulletin---swi-psa-2019-003
- https://source.sierrawireless.com/resources/airlink/hardware_reference_docs/airlink_es450_eol
- https://nvd.nist.gov/vuln/detail/CVE-2018-4063
Unlock Pro Content
Get the full detection package for CVE-2018-4063 including response playbook, investigation guide, and atomic red team tests.