Sierra Wireless was recently informed of eight security vulnerabilities in ALEOS, the operating system used in certain Sierra Wireless AirLink Routers. This includes the MP70, RV50x, RV55, LX40, LX60 ES450 and GX450. The vulnerabilities are present in ALEOS 4.16 and earlier versions and have been remediated in ALEOS 4.17 released in October 2023.
Affected Products
These vulnerabilities affect all AirLink routers running ALEOS software releases prior to version 4.9.9 (ES450, GX450) and prior to 4.17.0.12 (MP70, RV50x, RV55, LX40, LX60).
Recommended Actions
Upgrade to ALEOS 4.17.0.12 (MP70, RV50x, RV55, LX40, LX60) as soon as possible or ALEOS 4.9.9 (ES450, GX450). Pending upgrade, the following mitigations are recommended:
- Always use strong, and ideally unique random credentials for your devices. ALEOS devices ship by default with unique random credentials.
- Disable access to ACEManager on the WAN and make use of the Sierra Wireless Airlink Management System (ALMS) or an alternative device management platform for remote management of your ALEOS devices.
- If you must leave ACEManager accessible via the WAN, restrict access using measures such as Private APN, VPN, or the ALEOS Trusted IP feature that restricts access to specific hosts.
- Disable Debug Mode on AirLink devices when not being used for diagnostic purposes.
- Sierra Wireless recommends that customers using devices which are no longer supported and not receiving the 4.17.0.12 or 4.9.9 updates refresh those devices with actively supported devices.
For more information about these security vulnerabilities, please refer to the Source. You may also reach out to your Sierra Wireless reseller for assistance.