Sierra Wireless Reveals 8 Security Vulnerabilities with ALEOS Devices

A new security advisory from Sierra Wireless, one of the leading figures in IoT solutions, reveals eight security vulnerabilities within ALEOS, the operating system powering a range of Sierra Wireless AirLink Routers.

ALEOS is the backbone of devices such as the MP70, RV50x, RV55, LX40, LX60, ES450, and GX450. The revelation is that versions 4.16 and earlier are susceptible to these vulnerabilities.

The vulnerabilities range from infinite loop conditions in the ACEManager component (CVE-2023-40458) to the potential for Remote Code Execution (CVE-2023-40465). Each vulnerability carries its unique threat, from Denial of Service (DoS) to unauthorized access and control by malicious actors. These vulnerabilities are not just glitches but potent risks that could disrupt operations and compromise sensitive data.

Sierra Wireless, demonstrating its commitment to security, has already addressed these issues in the latest ALEOS version 4.17. Users are urged to upgrade their systems as a proactive measure against these vulnerabilities.

While upgrading is the best line of defense, Sierra Wireless also recommends several mitigation strategies, such as using strong, unique credentials, disabling unnecessary access points, and restricting access through features like ALEOS Trusted IP.

This advisory was made possible through the collaborative efforts of security experts like Dr. Stanislav Dashevskyi of ForeScout, highlighting the importance of community vigilance in cybersecurity.