On June 12th, 2014 Cradlepoint released an announcement regarding vulnerabilities within OpenSSL (Heartbleed bug). These issues were mitigated by an updated to Enterprise Cloud Manager on 6/9/2014 at 8pm EDT, but the CBR400/450 and MBR95 weren’t fixed and announced end of life (screenshot above). Shortly thereafter Cradlepoint indicated the MBR95 wasn’t included in the end of life process, but there are no additional firmware builds scheduled for the MBR95 units (recant screenshot below). The lack of future firmware updates doesn't mean that the MBR95 will no longer be supported by Cradlepoint or 3Gstore, but it DOES mean that future 3G and 4G modems will not be supported, and no new bug fixes or features will be available.
Cradlepoint has released a recommended course of action for anybody currently using MBR95 units which protect against the OpenSSL vulnerability, but limit the functionality of features within the router too.
MBR95 Mitigation for OpenSSL Vulnerability suggestions:
- Disable remote web administration*
- Ensure any web browser used to access the Web GUI (Local or remote) is fully updated to the latest version.
Aside from those two recommendations the only other recourse MBR95 users have is to upgrade to a unit that has received firmware updates to completely fix the vulnerability like the MBR1200B, MBR1400 or IBR600/650 series. All of these units have received updated firmware build 5.1.2 that fixes the security risks of the OpenSSL bug. Depending on your application and how you’re using the MBR95’s it may or may not be worth upgrading to new hardware. Here is our recommendation if you have MBR95 units:
3Gstore Recommendation on MBR95 Units:
If you’re a home user simply using the MBR95 to provide connectivity through your home disable remote admin capability and ensure your browser is up to date. Even though the units will receive no additional firmware updates or features if you don’t change to a newer device your equipment will not just stop working. In fact, there are still lots of customers running legacy routers like the MBR1000 and that model hasn’t received a firmware update in several years. Firmware upgrades will only become an issue for you if you upgrade to newer USB devices that aren’t listed as supported on the latest firmware build for the unit. Normally Cradlepoint releases new firmware every 2-3 months that adds in support for additional modems and/or carriers that provide cellular connectivity - BUT they have announced that the MBR95 will no longer receive these firmware upgrades.
If you’re a business user and have either standardized on the MBR95 or are evaluating it for a larger rollout throughout your company it’s probably time to start evaluating new hardware. The closest alternatives to the MBR95 right now are the MBR1200B or the Pepwave Surf SOHO if you want to evaluate a different manufacturer. These units are unaffected by the OpenSSL bug and receive timely firmware updates to add new features, fix bugs and support cloud management platforms to easily manage hundreds of units deployed out in the field. Most companies are likely going to want remote admin capability and if the main recommendation from Cradlepoint is to disable this feature you’ll lose a crucial feature or ultimately leave your company with huge security risk.
Thinking of switching Cradlepoint models? Contact us to discuss your needs
* Steps to disable MBR95 Remote Web Admin:
- Login to your router at 192.168.0.1 through a web browser. If you’ve changed the default IP enter the new IP of the router.
- Click “System Settings” on the top right tab and select “Administration” from the drop down window.
- On the left hand side click the tab called “Remote Management”
- In the main window you will see “Allow Remote Web Administration”. Remove the checkmark and navigate to the bottom of the page and click the “Apply” button.
- You have now removed Remote Web Administration