This bulletin provides information about the impact of CVE-2015-2897 on Sierra Wireless GX, ES and LS gateways.

Issue Descriptions

Issue 1

Sierra Wireless GX, ES and LS gateways running ALEOS 4.4.1 and earlier include undocumented accounts used for diagnostic and development purposes. On gateways running ALEOS 4.3.4 and earlier, these accounts are remotely accessible via telnet or SSH. From ALEOS 4.3.5 onwards, these accounts can only be accessed locally, via SSH, by a user with physical access to the gateway or the attached local network. An unauthorized user with knowledge of the passwords for these accounts may be able to take control of the gateway or gain access to the attached local network.

Issue 2

Sierra Wireless GX, ES and LS gateways running ALEOS 4.3.2 and earlier do not properly authenticate firmware updates applied using the web interface. An unauthorized user with access to the web interface may be able to use an altered firmware image to take control of the gateway or gain access to the local network.

Products Affected

The following products are affected by these issues:

  • LS300
  • GX400 / GX440 / GX450
  • ES440 / ES450

Recommended Actions for Affected Products

Sierra Wireless recommends that all customers immediately upgrade to ALEOS 4.4.2, available on Friday, August 7th, 2015. This release will disable access to the diagnostic and development accounts by default and ensure that access to the firmware update interface is properly authenticated.

Customers that are unable to immediately upgrade to ALEOS 4.4.2 can take the following actions to limit the impact of these issues.

ALEOS Version Recommended actions

4.3.2 and earlier

Disable remote access via telnet, SSH and HTTP using “Port Filtering – Inbound” or “Trusted IP – Inbound”.

Upgrade to ALEOS 4.4.2 when possible.

4.3.3 – 4.3.4

Disable remote access via telnet and SSH using “Port Filtering – Inbound” or “Trusted IP – Inbound”.

Upgrade to ALEOS 4.4.2 when possible.

4.3.5 and later

Upgrade to ALEOS 4.4.2 when possible.

Disabling remote access using Port Filtering – Inbound

  1. Login to ACEmanager or ALMS and navigate to Security > Port Filtering – Inbound.
  2. [Disable remote access via telnet or SSH] Under Filtered Ports add a new filter with a Start Port of “2332” and an End Port of “2332”.
  3. [Disable remote access via HTTP] Under Filtered Ports add a new filter with a Start Port of “9191” and an End Port of “9191”.
  4. Set Inbound Port Filtering Mode to “Blocked Ports”.
  5. Click Apply and reboot the gateway.

Disabling remote access using Trusted IP – Inbound

  1. Login to ACEmanager or ALMS and navigate to Security > Trusted IP – Inbound (Friends).
  2. Under Inbound Trusted IP List or Inbound Trusted IP Range, enter the IP addresses or address ranges you want to be able to access the gateway remotely.
  3. Set Inbound Trusted IP (Friends List) Mode to “Enable”.
  4. Click Apply and reboot the gateway.

Further Information

View the Full Aleos 4.4.2 Release Notes

For more information on  this issue please contact a USAT Representative

For all your M2M connectivity needs visit ExpressM2M a service of USAT

 

Share this Article..Email this to someoneShare on FacebookDigg thisTweet about this on TwitterShare on TumblrShare on StumbleUponShare on RedditPrint this pagePin on PinterestShare on LinkedInShare on Google+