CVE-2023-40463

Name of the Vulnerable Software and Affected Versions ALEOS versions 4.16 and earlier

Description The issue is related to the use of hardcoded credentials in the debugging mode of the ALEOS operating system for Sierra Wireless MP70, RV50x, RV55, LX40, LX60 ES450, GX450 wireless routers. When configured in debugging mode by an authenticated user with administrative privileges, ALEOS stores the SHA512 hash of the common root password for that version in a directory accessible to a user with root privileges or equivalent access. This could allow a remote attacker to gain unauthorized access to protected information.

Recommendations For ALEOS versions 4.16 and earlier, consider disabling the debugging mode until a patch is available to prevent potential exploitation. Restrict access to the directory where the SHA512 hash of the common root password is stored to minimize the risk of unauthorized access. Avoid using the common root password for administrative tasks until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.