SierraWireless ALEOS update 4.4.5 for AirLink devices
Date: 09 January 2018
The purpose of this advisory is to bring attention to a recent ALEOS software release that addresses a number configuration and third party vulnerabilities.
ALEOS has released product updates addressing multiple security vulnerabilities for multiple ALEOS products.
Among the changes in this release: certain default account settings which will reduce security risks when exposed to untrusted networks; the ACEmanager viewer account has been removed (1); firmware updates are now authenticated; DMZ will be disabled when “Host Connection Mode” is not set to “Ethernet Uses Public IP” and “DMZ Enabled” is set to “Automatic”; and a user space monitor has been added to the flash memory file system.
AirLink GX400, GX440, ES440, and LS300 running software prior to 4.4.5.
User input validation: CVE-2017-15043
OpenSSL: CVE-2016-0701, CVE-2017-3731, CVE-2016-2181, CVE-2016-0702, CVE-2017-3732, CVE-2016-2182, CVE-2016-0705, CVE-2016-2105, CVE-2016-2183, CVE-2016-0797, CVE-2016-2106, CVE-2016-6302, CVE-2016-0798, CVE-2016-2107, CVE-2016-6303, CVE-2016-0799, CVE-2016-2109, CVE-2016-6304, CVE-2016-0800, CVE-2016-2176, CVE-2016-6306, CVE-2016-2842, CVE-2016-2177, CVE-2015-3195, CVE-2015-1794, CVE-2016-2178, CVE-2015-3197, CVE-2015-3193, CVE-2016-2179, CVE-2015-3194, CVE-2016-2180
Dropbear: CVE-2017-9078 and CVE-2017-9079
Tcpdump and Libpcap: CVE-2014-8769 and CVE-2014-8767
Linux kernel: CVE-2017-14106, CVE-2014-7822, CVE-2014-9888, CVE-2015-3288
OpenVPN: CVE-2017-7520 and CVE-2017-7479
Dnsmasq: CVE-2017-14496, CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495
CCIRC recommends that system administrators test and deploy the vendor released updates on affected platforms accordingly.
CCIRC recommends confirming if your remote access, mobile or off-site solutions include this type of cellular gateway. Contact your integrator or service provider for more information on how to properly test and deploy the vendor released updates on affected platforms accordingly.
- (1) Products: AirLink® Gateways running ALEOS 4.5.2 or older using default user or viewer password - https://source.sierrawireless.com/~/media/support_downloads/airlink/docs/technical%20bulletin/technical%20bulletin%20-%20malware%20threat%20-%2011sep2017%20-%20release.ashx?la=en
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: