A collection of 21 vulnerabilities have been discovered in Sierra Wireless AirLink cellular routers and open-source software components like TinyXML and OpenNDS.
The vulnerabilities are in Sierra Wireless AirLink routers and stem from various open source components used in the routers, like an open source captive portal called OpenNDS and an open source XML document parser called TinyXML, which is also an abandoned project. If exploited, the bugs can have several potential impacts, from allowing attackers to steal credentials to enabling them to take control of routers via code injection. Among the 21 vulnerabilities, one has critical severity (CVSS score 9.6), nine have high severity, and 11 have medium severity.
Sierra Wireless has released the following ALEOS versions to address the new vulnerabilities:
Further, it is recommended to take the following additional actions for enhanced protection:
The information provided herein is on an “as is” basis, without warranty of any kind.