Web Version  |  Update preferences  |  Unsubscribe
Forward icon
Forward

WeOS 4.21.2 Security Update

Westermo has released a permanent fix for the vulnerability reported in CVE-2017-14491 (WEOS-17-02) that affects WeOS releases 4.8.0 to 4.21.1.

An attacker would send a crafted DNS packet which could cause a buffer overflow in the underlying component. The effect of this attack would be a denial of service (DoS) or execution of arbitrary code (which potentially could give the attacker control of the component).

Organizations using any of the above WeOS versions are encouraged to upgrade to 4.21.2 to mitigate this vulnerability.
Alternative mitigation involves disabling use of the switch as a DHCP server and blocking of DNS requests following the instructions below:

  • If the device acts as a DHCP server, remove all DHCP server configurations if present. See section 22.1.3 General DHCP Server settings in the WeOS Management Guide.
  • Block DNS requests by using the following firewall rule:
    filter deny in <vlanX> dport 53 proto udp
    For each VLAN in use, replace <vlanX> with the actual VLAN ID and apply the firewall rule. See section 31.1.2.2 Filter Rules Packet Matching in the WeOS Management Guide.

See the security advisory WEOS-17-02 in the Westermo Cyber Security resource center for more details about the vulnerability and how to mitigate:

Click here to go to resource centre

Click here to download WEOS-17-02 security advisory

How to get the new version

WeOS units manufactured after the release of WeOS 4.21.2 will have the latest version installed.

The new version of the WeOS firmware is also available for download from the Westermo website. Version 4.21.2 is verified to support all active WeOS products, i.e products presented on the website at the time of release.

Read more about WeOS and download the new version here:
http://www.westermo.com/solutions/weos/download-weos

Simple and secure firmware update with WeConfig

It is very easy to update WeOS devices using WeConfig.

Simply select the products to be upgraded in the network map and load the new software. A complete backup of the configuration will be performed before the upgrade begins. When you choose to upgrade multiple devices, WeConfig will suggest the best running order. If an update would fail for any reason, WeConfig will automatically retry the procedure. WeConfig manages the entire process, so in larger networks a huge amount of time can be saved as the update process can be set to run overnight.

If you should not be satisfied with the update, it is very simple to roll back to the previous firmware version.

Watch video

Read more about and get WeConfig