Sierra Wireless has published an advisory regarding critical flaws in the Sierra Wireless’ AirLink routers.
Last week Cisco Talos groups have disclosed several serious flaws affecting Sierra Wireless AirLink gateways and routers.
A total of 11 vulnerabilities were disclosed affecting Sierra Wireless AirLink gateways and routers which includes two critical flaws that allow arbitrary code injection and remote code execution.
Now the company has warned the customers that additional AirLink router models are also affected by the vulnerabilities.
The vulnerabilities also affect 11 other Sierra Wireless’ AirLink routers using the ALEOS software.
According to advisory successful exploitation of these flaws can allow attackers to remotely execute code, discover user credentials, upload files and discover file paths.
A total of 7 flaws were patched in which 2 were rated as critical and 5 as ‘medium-severity’ vulnerabilities.
The following Sierra AirLink models with the ALEOS software are impacted by the flaws:
- LS300, GX400, GX440, and ES440 Version 4.4.8 and prior
- GX450 and ES450: All versions prior to 4.9.4
- MP70, MP70E, RV50, RV50X, LX40, and LX60: All versions prior to 4.12
The CVE-2018-4061 is due to the Improper Neutralization Of special element used in an OS command.
The flaw can be exploited by an attacker by sending a specially crafted authenticated HTTP request to inject arbitrary commands and resulting in remote code execution.
The CVE-2018-4063 vulnerability allows attackers to upload or transfer files of dangerous types.
An attacker could exploit this flaw by sending a specially crafted authenticated HTTP request can upload a file, resulting in an executable, routable code upload to the web server.
Sierra Wireless has addressed this flaw and users are advised to update their devices immediately.
You may be interested in reading:New Emotet Trojan Variant Uses Compromised Devices as Proxy C&C Servers