Kaspersky on Friday raised the alarm on a series of vulnerabilities in Cinterion cellular modems that expose millions of devices to remote code execution attacks.
A series of seven security defects identified in the widely deployed modems could lead to information leaks, elevation of privilege, sandbox escape, arbitrary code execution, and unauthorized access to files and directories on the target system.
The most severe of these flaws is CVE-2023-47610 (CVSS score of 9.8), a buffer overflow issue that “could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted SMS message.”
According to Kaspersky, the successful exploitation of this bug could provide attackers with “unprecedented access” to devices containing the Cinterion BGS5, Cinterion EHS5/6/8, Cinterion PDS5/6/8, Cinterion ELS61/81, and Cinterion PLS62 modems.
“This access also facilitates the manipulation of RAM and flash memory, increasing the potential to seize complete control over the modem’s functionalities—all without authentication or requiring physical access to the device,” Kaspersky says.
To mitigate the risk posed by this bug, users are advised to disable the nonessential SMS messaging capabilities, by contacting the mobile operator, and using a private APN with strict security settings.
The cybersecurity firm also identified vulnerabilities in the handling of Java-based applications called MIDlets that could be exploited to execute code with elevated privileges.
“This flaw poses significant risks not only to data confidentiality and integrity, but it also escalates the threat to broader network security and device integrity,” Kaspersky says.
The issues, tracked as CVE-2023-47611 through CVE-2023-47616, can be mitigated by verifying the digital signature for MIDlets, by strictly controlling physical access to devices, and through regular audits and updates.
Kaspersky reported the flaws to the vendor in February 2023 and published advisories on them in November. Originally developed by Gemalto, the Cinterion modems are now owned by Telit, which acquired the business from Thales last year.
The Cinterion modems are used in various machine-to-machine (M2M) and IoT communications applications, including industrial automation, telematics, smart metering, and healthcare monitoring products.
According to Kaspersky researcher Evgeny Goncharov, the exploitation of these severe flaws could lead to widespread disruptions, given the broad deployment of the vulnerable modems.
“Since the modems are typically integrated in a matryoshka-style within other solutions, with products from one vendor stacked atop those from another, compiling a list of affected end products is challenging. Affected vendors must undertake extensive efforts to manage risks, with mitigation often feasible only on the telecom operators’ side,” Goncharov says.
Related: Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability
Related: Hackers Targeting Critical Atlassian Confluence Vulnerability Days After Disclosure
Related: CISA Warns of Apache Superset Vulnerability Exploitation
