Cradlepoint Security Bulletin Notice – 2022-001

Cradlepoint is aware of the potential for information not intended to be included in activity logs or to have been written to the logs on Cradlepoint routers running NCOS 7.21.40. or newer operating systems prior to October 21, 2022. or newer operating systems prior to October 21, 2022. Analysis of the threat level of this potential for information disclosure has indicated that this is a minor issue, but in the interest of transparency, we want to share complete details.

On April 5th, 2021, NCOS version 7.21.40 was released which included changes to NCOS config encryption for secrets. If you made individual configuration changes on a specific device involving a secret, the secret would be recorded in the Activity Log as clear text and not encrypted. Any changes to secrets made via group configurations would be unaffected. Your account has been identified as making an induvial configuration change on a router in the time frame.

Any authenticated user of NetCloud Manager would have already been able to see these secrets in the configuration within NetCloud Manager, however, it may not be expected for this information to be readable in the Activity Log. The secrets recorded in the Activity Logs would be items such as the passwords for configuration items like Wi-Fi or VPN tunnel passwords. NCM and NCOS passwords were not exposed in the Activity Logs. If you made group configuration changes, your Cradlepoint routers are not affected by this issue.

Cradlepoint issued and applied a fix as of October 21, 2022, and all sensitive (secrets) data in the individual configuration Activity Log have been masked to remove the ability to view the data in the activity logs for all Cradlepoint systems. As always, we encourage our customers to update and maintain current operating systems and change all default passwords to maintain good security hygiene. Details are being provided and updated on the Cradlepoint Trust site for access by all Cradlepoint users, we appreciate your support in encouraging any concerned customers to update secrets/password contained in the router configurations for items such as Wi-Fi, VPN tunnels, etc., and help field any questions.

If you have any further questions, please contact your channel manager directly or our support team if you need assistance with a customer. You can also always visit Cradlepoint’s Trust site: https://cradlepoint.com/about-us/trust/