ConnectedIO's ER2000 edge routers and its associated cloud-based management platform have recently been revealed to harbor multiple high-severity security vulnerabilities, presenting an alarming potential for exploitation by malicious actors. These vulnerabilities could lead to the execution of malicious code and unauthorized access to sensitive data.
Claroty's Noam Moshe emphasized the severity of these flaws, highlighting that an attacker could leverage them to compromise the entire cloud infrastructure, remotely execute code, and exfiltrate all customer and device information.
The vulnerabilities primarily affect the 3G/4G routers utilized by ConnectedIO, posing a significant risk to internal networks. Exploiting these flaws could empower malicious actors to seize control, intercept network traffic, and infiltrate Extended Internet of Things (IoT) devices.
The vulnerabilities are prevalent in ConnectedIO platform versions up to v2.1.0, with a primary focus on the 4G ER2000 edge router and its cloud services. These vulnerabilities can be chained together, enabling attackers to execute arbitrary code on cloud-based devices without the need for direct access to them.
Furthermore, flaws have been uncovered in the communication protocol (MQTT) employed between devices and the cloud. These include the use of hard-coded authentication credentials, which could be exploited to register a rogue device and access MQTT messages containing critical information such as device identifiers, Wi-Fi settings, SSIDs, and router passwords.
One alarming consequence of these vulnerabilities is the ability for threat actors to impersonate any device of their choosing using leaked IMEI numbers. Additionally, they can compel these devices to execute arbitrary commands through specially crafted MQTT messages. This is facilitated by a bash command with the opcode "1116," effectively executing remote commands without requiring additional authentication beyond correctly writing to the designated topic.
The vulnerabilities have been assigned the following CVE identifiers:
- CVE-2023-33375 (CVSS score: 8.6) - A stack-based buffer overflow vulnerability in the communication protocol, enabling attackers to gain control over devices.
- CVE-2023-33376 (CVSS score: 8.6) - An argument injection vulnerability in the iptables command message, allowing attackers to execute arbitrary OS commands on devices.
- CVE-2023-33377 (CVSS score: 8.6) - An operating system command injection vulnerability in the set firewall command, permitting attackers to execute arbitrary OS commands on devices.
- CVE-2023-33378 (CVSS score: 8.6) - An argument injection vulnerability in the AT command message, facilitating the execution of arbitrary OS commands on devices.
Moshe emphasized the severity of these vulnerabilities, highlighting the potential risk to countless companies worldwide, including disruptions to business operations and production processes, as well as unauthorized access to internal networks.
This disclosure coincides with ConnectedIO's revelation of vulnerabilities in network-attached storage (NAS) devices from Synology and Western Digital, which could be exploited for impersonation, control, data theft, and redirection of users to attacker-controlled devices. Additionally, it follows the discovery of unpatched vulnerabilities affecting Baker Hughes' Bently Nevada 3500 rack model, with the potential for full device compromise and incorrect measurements or denial-of-service attacks.
The collective impact underscores the critical importance of addressing these vulnerabilities promptly and comprehensively to safeguard digital infrastructure and sensitive data from potential exploitation.
No comments:
Post a Comment