Multiple high-severity security vulnerabilities have been disclosed in ConnectedIO's ER2000 edge routers and the cloud-based management platform that could be exploited by malicious actors to execute malicious code and access sensitive data.
"An attacker could have leveraged these flaws to fully compromise the cloud infrastructure, remotely execute code, and leak all customer and device information," Claroty's Noam Moshe said in an analysis published last week.
Vulnerabilities in 3G/4G routers could expose thousands of internal networks to severe threats, enabling bad actors to seize control, intercept traffic, and even infiltrate Extended Internet of Things (XIoT) things.
The shortcomings impacting the ConnectedIO platform versions v2.1.0 and prior, primarily the 4G ER2000 edge router and cloud services, could be chained, permitting attackers to execute arbitrary code on the cloud-based devices without requiring direct access to them.
Flaws have also been unearthed in the communication protocol (i.e., MQTT) used between the devices and the cloud, including the use of hard-coded authentication credentials, that could be used to register a rogue device and access MQTT messages containing device identifiers, Wi-Fi settings, SSIDs, and passwords from routers.
A consequence of the vulnerabilities is that a threat actor could not only impersonate any device of their choice using the leaked IMEI numbers, but also force them to execute arbitrary commands published via specially crafted MQTT messages.
This is made possible through a bash command with the opcode "1116," which executes a remote command "as-is."
"This command, which does not require any other form of authentication other than being able to write it to the correct topic, allows us to execute arbitrary commands on all devices," Moshe explained.
"It lacks validation that the sender of the commands is actually an authorized issuer. Using this command opcode, we were able to generate a payload that will result in code execution whenever it is sent to a device."
The issues have been assigned the following CVE identifiers -
- CVE-2023-33375 (CVSS score: 8.6) - A stack-based buffer overflow vulnerability in its communication protocol, enabling attackers to take control over devices.
- CVE-2023-33376 (CVSS score: 8.6) - An argument injection vulnerability in its ip tables command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.
- CVE-2023-33377 (CVSS score: 8.6) - An operating system command injection vulnerability in the set firewall command in part of its communication protocol, enabling attackers to execute arbitrary OS commands on devices.
- CVE-2023-33378 (CVSS score: 8.6) - An argument injection vulnerability in its AT command message in its communication protocol, enabling attackers to execute arbitrary OS commands on devices.
"These vulnerabilities, if exploited, could pose serious risk for thousands of companies around the world, allowing attackers to disrupt the companies' business and production, along with giving them access to the companies' internal networks," Moshe said.
The disclosure comes as the company also revealed a handful of flaws in network-attached storage (NAS) devices from Synology and Western Digital that could be weaponized to impersonate and control them, as well as steal stored data and redirect users to an attacker-controlled device.
It also follows the discovery of three unpatched vulnerabilities affecting Baker Hughes' Bently Nevada 3500 rack model that could be utilized to bypass the authentication process and obtain complete access to the device and .
"In the most severe scenario, these flaws could allow an attacker to fully compromise the device and alter its internal configuration, potentially leading to either incorrect measurements from monitored machines, or denial-of-service attacks," Nozomi Networks said.