Date of Issue: May 2, 2019
AirLink® LS300, GX400, GX/ES440, GX/ES450, RV50, RV50X, MP70, MP70E, LX60 and LX40 gateways and routers that:
• Are directly reachable from the public internet, and
• Have SSH reachable over the WAN
The Sierra Wireless security team has received reports of AirLink devices with SSH remote access enabled acting as proxy servers for external parties. Further investigation of reported devices show that attackers are using compromised usernames and passwords to gain authenticated access to SSH and use the service as a proxy.
Known impacts of this attack are:
• Affected devices are proxying external data, and as such, may incur higher data rates.
• External parties may be able to access ACEmanager and local LAN services, even if remote ACEmanager is not enabled.
All affected customers are advised to take immediate action as detailed in this bulletin.
Sierra Wireless advises customers to follow the recommended actions outlined below. If you require assistance performing these actions or have routers that are exhibiting suspicious behavior, please contact USAT Corp.
- If SSH remote access is not required, disable remote access:
a. In ACEmanager, navigate to Services > Telnet/SSH
b. Set ‘Telnet/SSH Access Policy’ to ‘LAN’ (default) or ‘Disabled’.
- If SSH remote access is required, change the user and sconsole password on all devices to a new secure value, even if the devices previously had a non-default password as the password may have been previously compromised.
a. In ACEmanager, navigate to Admin > Change Password
b. Select ‘user’ as the ‘Username’, enter a strong new password, and click ‘Change Password’
c. Select ‘sconsole’ as the ‘Username’, enter a strong new password, and click ‘Change Password’
For Additional Details Contact USAT: