Sierra Wireless customers can find more details about the products affected by these issues and workarounds on the Sierra Wireless site. Customers will need to authenticate before downloading content.
Carve Systems consultants performed, and continue to perform, research on a number of IoT devices. The Carve Systems team coordiantes its disclosure with vendors when at all possible. This advisory is for the Sierra GX 440. In 2015 the consultants performed research against the GX 440 running the 4.3.2a.010 version of the firmware. The consultants discovered numerous security findings and disclosed these findings to the vendor.
This advisory covers seven CVEs (details pending):
- 3/11/16 – Initial contact email sent to vendor.
- 4/5/16 – Disclosure to CERT/CC (VU#829752).
- 4/7/16 – CERT/CC communicates findings to Sierra. Projected disclosure date is 5/13/16.
- 4/15/16 – CERT/CC indicates that Sierra would like to work directly with Carve. Introduction email.
- 4/15/16 to 5/3/16 – Carve communicates additional details to Sierra. Sierra and Carve work together to understand which vulnerabilities have already been patched in newer release.
- 5/11/16 – Carve/Sierra mutually agree to delay publication until 5/31/16.
- 6/9/16 – Coordinated public disclosure.
Original Advisory Content
Below is the original advisory provided to Sierra Wireless.