Number: AV18-006
Date: 09 January 2018
Purpose
The purpose of this advisory is to bring attention to a recent ALEOS software release that addresses a number configuration and third party vulnerabilities.
Assessment
ALEOS has released product updates addressing multiple security vulnerabilities for multiple ALEOS products.
Among the changes in this release: certain default account settings which will reduce security risks when exposed to untrusted networks; the ACEmanager viewer account has been removed (1); firmware updates are now authenticated; DMZ will be disabled when “Host Connection Mode” is not set to “Ethernet Uses Public IP” and “DMZ Enabled” is set to “Automatic”; and a user space monitor has been added to the flash memory file system.
Affected Products:
AirLink GX400, GX440, ES440, and LS300 running software prior to 4.4.5.
CVE References:
User input validation: CVE-2017-15043
OpenSSL: CVE-2016-0701, CVE-2017-3731, CVE-2016-2181, CVE-2016-0702, CVE-2017-3732, CVE-2016-2182, CVE-2016-0705, CVE-2016-2105, CVE-2016-2183, CVE-2016-0797, CVE-2016-2106, CVE-2016-6302, CVE-2016-0798, CVE-2016-2107, CVE-2016-6303, CVE-2016-0799, CVE-2016-2109, CVE-2016-6304, CVE-2016-0800, CVE-2016-2176, CVE-2016-6306, CVE-2016-2842, CVE-2016-2177, CVE-2015-3195, CVE-2015-1794, CVE-2016-2178, CVE-2015-3197, CVE-2015-3193, CVE-2016-2179, CVE-2015-3194, CVE-2016-2180
Dropbear: CVE-2017-9078 and CVE-2017-9079
Tcpdump and Libpcap: CVE-2014-8769 and CVE-2014-8767
Linux kernel: CVE-2017-14106, CVE-2014-7822, CVE-2014-9888, CVE-2015-3288
OpenVPN: CVE-2017-7520 and CVE-2017-7479
SNMP: CVE-2015-5621
Libcurl: CVE-2016-5421
Dnsmasq: CVE-2017-14496, CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495
Suggested Action
CCIRC recommends that system administrators test and deploy the vendor released updates on affected platforms accordingly.
CCIRC recommends confirming if your remote access, mobile or off-site solutions include this type of cellular gateway. Contact your integrator or service provider for more information on how to properly test and deploy the vendor released updates on affected platforms accordingly.
References:
Release Notes:
- https://source.sierrawireless.com/resources/airlink/software_reference_docs/release-notes/aleos-4,-d-,4,-d-,5-release-notes/
- (1) Products: AirLink® Gateways running ALEOS 4.5.2 or older using default user or viewer password - https://source.sierrawireless.com/~/media/support_downloads/airlink/docs/technical%20bulletin/technical%20bulletin%20-%20malware%20threat%20-%2011sep2017%20-%20release.ashx?la=en
- https://nvd.nist.gov/vuln/search