Sierra Wireless AirLink ALEOS (Update B)

Risk Summary

Successful exploitation of these vulnerabilities could allow attackers to remotely execute code, discover user credentials, upload files, or discover file paths.

CVEs (6)

Remediations

• Sierra Wireless recommends users upgrade to the latest version of ALEOS for the products and versions below. For upgrade assistance, contact an authorized AirLink reseller, Sierra Wireless sales, technical representative, or Sierra Wireless technical support.
• LS300, GX400, GX440, ES440: ALEOS 4.4.9 The ALEOS 4.4.9 Release Note is available (login required)
• GX450, ES450: ALEOS 4.9.4.p09
• MP70, MP70E, RV50, RV50X, LX40, LX60: ALEOS 4.12 The ALEOS 4.12.0 Release Note is available (login required)
• Ensure a strong password is set for the user account. For guidance on password strength, Sierra Wireless recommends the “memorized secret authenticator” guidelines in NIST SP800-63B.
• If ALEOS Application Framework (AAF) is enabled, ensure a strong password is set for the AAF User account.
• If Telnet or SSH is enabled, ensure a strong password is set for the console account.
• When connecting directly to ACEmanager: Use only HTTPS.
• Utilize an up-to-date, modern web browser with built-in CSS and CSRF protection, such as Chrome, Firefox, or Edge.
• The following SNORT rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to a Firepower Management Center or Snort.org.
• Snort Rules: 48600, 48635, 48614 - 48621, 48747

Affected Vendors

Affected Products (3)

Affected Sectors

Commercial Facilities, Communications, Emergency Services, Energy, Government Facilities, Transportation Systems, Water and Wastewater Systems