Cybersecurity researchers have disclosed multiple security flaws in Cinterion cellular modems that could be potentially exploited by threat actors to access sensitive information and achieve code execution.
"These vulnerabilities include critical flaws that permit remote code execution and unauthorized privilege escalation, posing substantial risks to integral communication networks and IoT devices foundational to industrial, healthcare, automotive, financial and telecommunications sectors," Kaspersky said.
Cinterion modems were originally developed by Gemalto before the business was acquired by Telit from Thales as part of a deal announced in July 2022.
The findings were presented at the OffensiveCon held in Berlin on May 11. The list of eight flaws is as follows -
- CVE-2023-47610 (CVSS score: 8.1) - A buffer overflow vulnerability that could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted SMS message.
- CVE-2023-47611 (CVSS score: 7.8) - An improper privilege management vulnerability that could allow a local, low-privileged attacker to elevate privileges to manufacturer level on the targeted system.
- CVE-2023-47612 (CVSS score: 6.8) - A files or directories accessible to external parties vulnerability that could allow an attacker with physical access to the target system to obtain read/write access to any files and directories on the targeted system, including hidden files and directories.
- CVE-2023-47613 (CVSS score: 4.4) - A relative path traversal vulnerability that could allow a local, low-privileged attacker to escape from virtual directories and get read/write access to protected files on the targeted system.
- CVE-2023-47614 (CVSS score: 3.3) - An exposure of sensitive information vulnerability that could allow a local, low-privileged attacker to disclose hidden virtual paths and file names on the targeted system.
- CVE-2023-47615 (CVSS score: 3.3) - An exposure of sensitive information through environmental variables vulnerability that could allow a local, low-privileged attacker to obtain unauthorized access to the targeted system.
- CVE-2023-47616 (CVSS score: 2.4) - An exposure of sensitive information vulnerability that could allow an attacker with physical access to the target system to get access to sensitive data on the targeted system.
The most severe of the weaknesses is CVE-2023-47610, a heap overflow vulnerability in the modem that enables remote attackers to execute arbitrary code via SMS messages.
Furthermore, the access could be weaponized to manipulate RAM and flash memory, thereby allowing the attackers to exert more control of the modem without authentication or requiring physical access.
The remaining vulnerabilities stem from security lapses in the handling of MIDlets, which refer to Java-based applications running within the modems. They could be abused to bypass digital signature checks and allow unauthorized code execution with elevated privileges.
Security researchers Sergey Anufrienko and Alexander Kozlov have been credited with discovering and reporting the flaws, which were formally revealed by Kaspersky ICS CERT in a series of advisories published on November 8, 2023.
"Since the modems are typically integrated in a matryoshka-style within other solutions, with products from one vendor stacked atop those from another, compiling a list of affected end products is challenging," Evgeny Goncharov, head of Kaspersky ICS CERT, said.
To mitigate potential threats, organizations are recommended to disable non-essential SMS messaging capabilities, employ private Access Point Names (APNs), control physical access to devices, and conduct regular security audits and updates.
The Hacker News has reached out to Telit for more information on the flaws, and we will update the story once we hear back.
Update
Kaspersky has shared more technical details on the analysis that went behind the discovery of seven security flaws in Cinterion cellular modems that could be weaponized to elevate privileges, access sensitive information, and execute arbitrary code, effectively allowing attackers to take complete control of the devices.
The vulnerabilities impact the following models -
- Cinterion BGS5
- Cinterion EHS5/6/7
- Cinterion PDS5/6/8
- Cinterion ELS61/81, and
- Cinterion PLS62
"Though being a special-purpose device, a modern modem implements numerous features and potential user scenarios," the company said. "Due to performance requirements, most of the key features are implemented in low-level languages such as С and Assembler and therefore lack built-in safeguards mitigating potential developers' mistakes."
(The story was updated after publication on Jun 19, 2024, to include additional specifics shared by Kaspersky.)