Sierra Wireless AirLink with ALEOS firmware

Plan Patch8.1ICS-CERT ICSA-23-341-06Dec 7, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Sierra Wireless AirLink ALEOS firmware contains multiple vulnerabilities including remote code execution (CWE-835, CWE-476), cross-site scripting (CWE-79), denial-of-service (CWE-617), hardcoded credentials (CWE-798), and insufficient key management (CWE-321). Affected versions: firmware before 4.9.9 and before 4.17.0. Successful exploitation could allow an attacker to execute remote code and take full control of the device, steal credentials via XSS, or crash the device.

What this means

What could happen

An attacker could gain full control of an AirLink gateway, potentially intercepting or disrupting communications between remote sites and your network operations center, stealing login credentials, or rendering the device inoperable. This could prevent remote monitoring and management of distributed sites (branches, substations, water treatment plants).

Who's at risk

This affects operators of Sierra Wireless AirLink gateways deployed at remote sites (branch offices, water treatment plants, substations, cell towers) that rely on these devices for connectivity and remote device management. Any organization using ALEOS firmware versions before 4.9.9 or 4.17.0 is at risk.

How it could be exploited

An attacker with network access to the AirLink web interface and valid credentials could trigger code execution through CWE-835 or CWE-476 vulnerabilities. Alternatively, the hardcoded credentials (CWE-798) could be used to bypass authentication, after which the attacker exploits XSS (CWE-79) to steal additional credentials or execute malicious commands on the device, achieving code execution and control.

Prerequisites

Network access to AirLink web management interface (HTTP/HTTPS, typically port 80/443)
Valid login credentials for AirLink web interface, or ability to exploit hardcoded credentials (CWE-798)

remotely exploitablelow complexityhardcoded credentials presenthigh CVSS score (8.1)multiple vulnerability types (RCE, XSS, DoS)

Exploitability

Moderate exploit probability (EPSS 1.3%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

AirLink ALEOS firmware: <4.9.9<4.9.94.9.9

AirLink ALEOS firmware: <4.17.0<4.17.04.9.9

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDRestrict network access to AirLink web management interface to authorized IP addresses or VPN-only access using firewall rules

WORKAROUNDDisable remote web management access if not required for operations; use local serial or out-of-band management only

WORKAROUNDChange any default credentials associated with AirLink devices immediately

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AirLink ALEOS firmware to version 4.9.9 or later (for pre-4.9.9 devices) or version 4.17.0 or later (for pre-4.17.0 devices)

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate AirLink devices from business networks and the internet; place behind firewall

HARDENINGUse VPN for any required remote access to AirLink devices; ensure VPN client and server are updated to latest versions

CVEs (7)

CVE-2023-40458 CVE-2023-40459 CVE-2023-40460 CVE-2023-40461 CVE-2023-40462 CVE-2023-40463 CVE-2023-40464

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/616e5b0f-7e37-4931-9c8e-9f84856ad0d1