SierraWireless ALEOS update 4.4.5 for AirLink devices

Number: AV18-006
Date: 09 January 2018

Purpose

The purpose of this advisory is to bring attention to a recent ALEOS software release that addresses a number configuration and third party vulnerabilities.

Assessment

ALEOS has released product updates addressing multiple security vulnerabilities for multiple ALEOS products.

Among the changes in this release: certain default account settings which will reduce security risks when exposed to untrusted networks; the ACEmanager viewer account has been removed (1); firmware updates are now authenticated; DMZ DMZSee demilitarized zone. will be disabled when “Host Connection Mode” is not set to “Ethernet Uses Public IP” and “DMZ Enabled” is set to “Automatic”; and a user space monitor has been added to the flash memory file system.

Affected Products:
AirLink GX400, GX440, ES440, and LS300 running software prior to 4.4.5.

CVE References:

User input validation: CVE-2017-15043
OpenSSL: CVE-2016-0701, CVE-2017-3731, CVE-2016-2181, CVE-2016-0702, CVE-2017-3732, CVE-2016-2182, CVE-2016-0705, CVE-2016-2105, CVE-2016-2183, CVE-2016-0797, CVE-2016-2106, CVE-2016-6302, CVE-2016-0798, CVE-2016-2107, CVE-2016-6303, CVE-2016-0799, CVE-2016-2109, CVE-2016-6304, CVE-2016-0800, CVE-2016-2176, CVE-2016-6306, CVE-2016-2842, CVE-2016-2177, CVE-2015-3195, CVE-2015-1794, CVE-2016-2178, CVE-2015-3197, CVE-2015-3193, CVE-2016-2179, CVE-2015-3194, CVE-2016-2180
Dropbear: CVE-2017-9078 and CVE-2017-9079
Tcpdump and Libpcap: CVE-2014-8769 and CVE-2014-8767
Linux kernel: CVE-2017-14106, CVE-2014-7822, CVE-2014-9888, CVE-2015-3288
OpenVPN: CVE-2017-7520 and CVE-2017-7479
SNMP: CVE-2015-5621
Libcurl: CVE-2016-5421

Dnsmasq: CVE-2017-14496, CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495

Suggested Action

CCIRC recommends that system administrators test and deploy the vendor released updates on affected platforms accordingly.

CCIRC recommends confirming if your remote access, mobile or off-site solutions include this type of cellular gateway GatewayAn intermediate system that is the interface between two computer networks. A gateway can be a server, firewall, router, or other device that enables data to flow through a network. . Contact your integrator or service provider for more information on how to properly test and deploy the vendor released updates on affected platforms accordingly.

References:

Release Notes:

• https://source.sierrawireless.com/resources/airlink/software_reference_docs/release-notes/aleos-4,-d-,4,-d-,5-release-notes/  
• (1) Products: AirLink® Gateways running ALEOS 4.5.2 or older using default user or viewer password - https://source.sierrawireless.com/~/media/support_downloads/airlink/docs/technical%20bulletin/technical%20bulletin%20-%20malware%20threat%20-%2011sep2017%20-%20release.ashx?la=en
• https://nvd.nist.gov/vuln/search